Vivoh Customer FINRA Finds Vulnerability and Verifies Remediation

SECURITY FINDINGS FOR VIVOH

Author: Shubham Agrawal ([email protected])

Improper API Authentication

When a user logs in to the application, a cookie is assigned so they can be uniquely identified by the application. Vivoh uses VIVOH_AUTH cookie to check that. 

Certain APIs in VIVOH can be successfully executed without proper authentication. This issue can let an attacker impersonate as victim and make state changing requests on their behalf.

The vulnerable APIs are:

  1. POST, PUT, DELETE request sent to /api/source/
  2. POST, PUT, DELETE request sent to /api/rule/
  3. PUT request sent to /api/config/

Note: This document shows how to reproduce the POST request issue with source API. The rest of HTTP methods and APIs can be reproduced in the same way.

Steps to Reproduce:

  1. Create a new source.
Graphical user interface, application

Description automatically generated
  1. Inspect the new source created and copy it as curl.

Graphical user interface

Description automatically generated

Sample Curl Command:

curl ‘https://website.org:8443/api/source/new’ -H ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36’ -H ‘Accept: application/json, text/plain, */*’ -H ‘Accept-Language: en-US,en;q=0.5’ –compressed -H ‘Content-Type: application/json;charset=utf-8’ -H ‘Origin: https://website.org:8443’ -H ‘Connection: keep-alive’ -H ‘Cookie: VIVOH_USERNAME=<insert username>’ -H ‘Pragma: no-cache’ -H ‘Cache-Control: no-cache’ –data-raw ‘{“url”:”https://random-url-curl.com”}’ -k

(In the above command change the website name and VIVOH_USERNAME as per your environment.)

Request-Response from BurpSuite:

Graphical user interface, text, application

Description automatically generated

  1. Paste the curl command in a terminal. Make sure to send only VIVOH_USERNAME cookie (remove VIVOH_AUTH cookie) and see the success response.
  1. Confirm the response on UI.
Graphical user interface, application

Description automatically generated

Remediation:

  1. On the server side, check if the valid auth cookie is present in the request.
  2. Invalidate the auth cookie once the user logs out.

The issue was fixed, and verification was done.

Following are the proofs:

In the above screenshot, a POST request to /api/source was sent with only VIVOH_USERNAME cookie and it threw us unauthenticated error.

In the above screenshot, a POST request to /api/source was intercepted, the user logged out of the application, and then the request was passed. We got an error in the response saying unauthenticated.

The fix is verified.

about author

Erik Herz

[email protected]

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.