Vivoh Customer FINRA Finds Vulnerability and Verifies Remediation

SECURITY FINDINGS FOR VIVOH

Author: Shubham Agrawal (shubham.agrawal@finra.org)

Improper API Authentication

When a user logs in to the application, a cookie is assigned so they can be uniquely identified by the application. Vivoh uses VIVOH_AUTH cookie to check that.

Certain APIs in VIVOH can be successfully executed without proper authentication. This issue can let an attacker impersonate as victim and make state changing requests on their behalf.

The vulnerable APIs are:

  1. POST, PUT, DELETE request sent to /api/source/
  2. POST, PUT, DELETE request sent to /api/rule/
  3. PUT request sent to /api/config/

Note: This document shows how to reproduce the POST request issue with source API. The rest of HTTP methods and APIs can be reproduced in the same way.

Steps to Reproduce:

  1. Create a new source.

2.   Inspect the new source created and copy it as curl.

Sample Curl Command:

curl ‘https://website.org:8443/api/source/new’ -H ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36’ -H ‘Accept: application/json, text/plain, */*’ -H ‘Accept-Language: en-US,en;q=0.5’ –compressed -H ‘Content-Type: application/json;charset=utf-8’ -H ‘Origin: https://website.org:8443’ -H ‘Connection: keep-alive’ -H ‘Cookie: VIVOH_USERNAME=<insert username>’ -H ‘Pragma: no-cache’ -H ‘Cache-Control: no-cache’ –data-raw ‘{“url”:”https://random-url-curl.com”}’ -k

(In the above command change the website name and VIVOH_USERNAME as per your environment.)

Request-Response from BurpSuite:

3. Paste the curl command in a terminal. Make sure to send only VIVOH_USERNAME cookie (remove VIVOH_AUTH cookie) and see the success response.

4. Confirm the response on UI.

Remediation:

  1. On the server side, check if the valid auth cookie is present in the request.
  2. Invalidate the auth cookie once the user logs out.

The issue was fixed, and verification was done.

Following are the proofs:

In the above screenshot, a POST request to /api/source was sent with only VIVOH_USERNAME cookie and it threw us unauthenticated error.

In the above screenshot, a POST request to /api/source was intercepted, the user logged out of the application, and then the request was passed. We got an error in the response saying unauthenticated.

The fix is verified.