Description
Request Type
Bug - Authentication Bypass Vulnerability
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | RedHat |
| OS version (client) | any |
| Virtualized Env. | any |
| TheHive version / git hash | 4.1.16-1 |
| Package Type | Docker |
| Database | Cassandra |
| Index type | Elasticsearch |
| Browser type & version | Chromium |
Problem Description
It has been observed that TheHive Version: 4.1.16-1 application is vulnerable to Authentication Bypass. An attacker with an account in the application is able to log into the account of any other application user (including the administrator) which in consequence may lead to a compromise of the application and each of its users.
Steps to Reproduce
-
Step 1 - Try to log into apllication using valid credentials for your any user.
-
step 2 - After entering credentials in the login screen and click 'Sign in', intercept the request in the web proxy tool, e.g. in Burp.
-
step 3 - In the request body, change the user's credentials: as username, enter any username that exists in the application and remove the password value.
-
step 4 - Release the request that has been modified. At this point, the browser creates a session using the previously selected user. This way, you can take over the identity of each application user without knowing their password. The only necessary condition to use a vulnerability is to have one valid credentials (the user role is not important).
Possible Solutions
Authentication mechanisms and session management need to be implemented correctly as they are first line of security before entering private section of the application.
Complementary information
CWE-287: Improper Authentication https://cwe.mitre.org/data/definitions/287.html
OWASP https://www.owasp.org/index.php/Authentication_Cheat_Sheet