Weak Password Requirements in Alovoa/alovoa

Reported on Jun 7th 2021

✍️ Description

It is possible to set a weak password with no compliance with the register form checks that state "Your password needs to be at least 7 characters long and must contain characters and numbers." If a user bypasses the frontend checks, he will be able to register a completely weak password because the method register() at RegisterService.java:138 saves the password as it comes from the request, without prior checks about length and character composition. It is also possible to note that email format is validated in the same file, previous saving of the object.

🕵️‍♂️ Proof of Concept

// RegisterService.java
user = userRepo.saveAndFlush(user);

An example of request made to register a user with password "test":

POST /register HTTP/1.1
Host: alovoa.herokuapp.com
Cookie: JSESSIONID={session}
Content-Length: 219
X-Csrf-Token: ecdc8bf8-74d7-48f0-9189-3f5de8d0ee42
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Origin: https://alovoa.herokuapp.com
Referer: https://alovoa.herokuapp.com/register
Accept-Encoding: gzip, deflate
Accept-Language: es-419,es;q=0.9
Connection: close


The response:

HTTP/1.1 200
Server: Cowboy
Connection: close
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Length: 0
Date: Mon, 07 Jun 2021 05:18:17 GMT
Via: 1.1 vegur

The confirmation email went to the email account. Even it was possible to register an account WITHOUT password:

POST /register HTTP/1.1
Host: alovoa.herokuapp.com
Cookie: JSESSIONID={sessionid}
Content-Length: 229
X-Csrf-Token: 8f810211-9623-41bb-8675-2f99e3b4ed8f
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Origin: https://alovoa.herokuapp.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://alovoa.herokuapp.com/register
Connection: close


💥 Impact

A user could save a weak password and be compromised.