Weak Password Requirements in alovoa/alovoa

Valid

Reported on

Jun 7th 2021


✍️ Description

It is possible to set a weak password with no compliance with the register form checks that state "Your password needs to be at least 7 characters long and must contain characters and numbers." If a user bypasses the frontend checks, he will be able to register a completely weak password because the method register() at RegisterService.java:138 saves the password as it comes from the request, without prior checks about length and character composition. It is also possible to note that email format is validated in the same file, previous saving of the object.

🕵️‍♂️ Proof of Concept

// RegisterService.java
user.setPassword(passwordEncoder.encode(dto.getPassword()));
user = userRepo.saveAndFlush(user);

An example of request made to register a user with password "test":

POST /register HTTP/1.1
Host: alovoa.herokuapp.com
Cookie: JSESSIONID={session}
Content-Length: 219
X-Csrf-Token: ecdc8bf8-74d7-48f0-9189-3f5de8d0ee42
X-Requested-With: XMLHttpRequest
Content-Type: application/json
Origin: https://alovoa.herokuapp.com
Referer: https://alovoa.herokuapp.com/register
Accept-Encoding: gzip, deflate
Accept-Language: es-419,es;q=0.9
Connection: close

{"_csrf":"ecdc8bf8-74d7-48f0-9189-3f5de8d0ee42","firstName":"ile","email":"ilebarrionuevo@gmail.com","dateOfBirth":"2005-06-07","password":"test","gender":"2","captchaId":"1","captchaText":"pr2","tos":"on","pp":"on"}

The response:

HTTP/1.1 200
Server: Cowboy
Connection: close
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Length: 0
Date: Mon, 07 Jun 2021 05:18:17 GMT
Via: 1.1 vegur

The confirmation email went to the email account. Even it was possible to register an account WITHOUT password:

POST /register HTTP/1.1
Host: alovoa.herokuapp.com
Cookie: JSESSIONID={sessionid}
Content-Length: 229
X-Csrf-Token: 8f810211-9623-41bb-8675-2f99e3b4ed8f
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Origin: https://alovoa.herokuapp.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://alovoa.herokuapp.com/register
Connection: close


{"_csrf":"8f810211-9623-41bb-8675-2f99e3b4ed8f","firstName":"pentester","email":"ile_barrionuevo@hotmail.com","dateOfBirth":"1998-06-03","password":"","gender":"2","captchaId":"25","captchaText":"62w","tos":"on","pp":"on"}

💥 Impact

A user could save a weak password and be compromised.

Ileana Barrionuevo modified their report
6 months ago
Jamie Slome
6 months ago

Admin


I have reached out to the maintainers via a GitHub Issue and we will await a response from them.

Ileana
6 months ago

Researcher


thanks !

Jamie Slome
6 months ago

Admin


@Ileana - looks like the maintainer has patched on the repository. We will wait for them to mark as valid and confirm the patch.

Jamie Slome validated this vulnerability 6 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 76661a 6 months ago
The fix bounty has been dropped
Jamie Slome
6 months ago

Admin


Well done @Ileana! 🎉

Ileana
6 months ago

Researcher


thanks!!