Describe the bug
Step 1 AuthKey logic -
In /src/middleware.ts, the withMobileAuth validation function checks only for the presence of the Auth-Key HTTP header, does not validate what is passed in the Authentication Header as shown below
...snip...
export const withMobileAuth = async (req: RequestWithUser) => {
if (req.headers.get('Auth-Key')) {
return NextResponse.next();
}
...snip...
Due to the above function the middleware skips its normal routine of generating the internal user properties header (g). However, Next.js routes the request forward to the endpoint with the client's original headers preserved intact.
Step 2 - User identity validation
In '/src/app/api/mobile/courses/[courseId]/route.ts', the endpoint uses the following logic to read user identity properties:
...snip...
export async function GET(
request: NextRequest,
{ params }: { params: { courseId: string } },
) {
try {
const user: { id: string } = JSON.parse(request.headers.get('g') || '');
const { courseId } = params;
const userCourseAccess = await checkUserCourseAccess(user.id, courseId);
if (!userCourseAccess) { ... }
...snip...
The endpoint operates under the unsafe assumption that if a request hits its block, the g header context object must have been safely generated and signed by the trusted upstream middleware. Because there is no check to see if the g property originated from the external client request wrapper, any user can supply a custom JSON payload mapping out an enrolled user's ID or an admin ID. The database access subroutine evaluates this spoofed identity as truth, bypassing the user ID validation check entirely.
To Reproduce
Steps to reproduce the behavior:
See below for PoC (curl command)
https://github.com/Jznik/Code100x---Pre-Authentication-User-ID-Validation-Bypass/blob/main/PoC
Expected behavior
The server bypasses the standard 403 Forbidden response ("User does not have access to this course") and releases data based on 'Course ID'.
Screenshots or GIFs
If applicable, add screenshots to help explain your problem.
Info (please complete the following information):
- Version [e.g. 22]
Couldn't find version number on code100x GitHub repository
Describe the bug
Step 1 AuthKey logic -
In /src/middleware.ts, the withMobileAuth validation function checks only for the presence of the Auth-Key HTTP header, does not validate what is passed in the Authentication Header as shown below
Due to the above function the middleware skips its normal routine of generating the internal user properties header (
g). However, Next.js routes the request forward to the endpoint with the client's original headers preserved intact.Step 2 - User identity validation
In '/src/app/api/mobile/courses/[courseId]/route.ts', the endpoint uses the following logic to read user identity properties:
The endpoint operates under the unsafe assumption that if a request hits its block, the
gheader context object must have been safely generated and signed by the trusted upstream middleware. Because there is no check to see if thegproperty originated from the external client request wrapper, any user can supply a custom JSON payload mapping out an enrolled user's ID or an admin ID. The database access subroutine evaluates this spoofed identity as truth, bypassing the user ID validation check entirely.To Reproduce
Steps to reproduce the behavior:
See below for PoC (curl command)
https://github.com/Jznik/Code100x---Pre-Authentication-User-ID-Validation-Bypass/blob/main/PoC
Expected behavior
The server bypasses the standard
403 Forbiddenresponse ("User does not have access to this course") and releases data based on 'Course ID'.Screenshots or GIFs
If applicable, add screenshots to help explain your problem.
Info (please complete the following information):
Couldn't find version number on code100x GitHub repository