Description

An observable discrepancy in response times is present in the login portal. When brute forcing valid email accounts, the timing on a valid account is significantly higher than that of an invalid user account. This is likely due to the use of Bcrypt's compare function being utilized by the application.

It was also noted that CAPTCHA codes were reusable. Tester made over 1,000 requests with the same CAPTCHA code without receiving an error that the code was invalid. Tester believes this is due to the way that the request was intercepted, and that the application temporarily stores the "a_captcha" token value in local browser storage, however it's not completely clear.

This vulnerability was identified in the Answer application deployed through Docker. Screenshot evidence of the finding is available here - https://themayor.notion.site/Answer-CWE-208-a81897ea892d4101b55675a06e373643

Proof of Concept

POST /answer/api/v1/user/login/email HTTP/1.1
Host: 192.168.1.66:9080
Content-Length: 116
Accept-Language: en_US
Authorization: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 
Content-Type: application/json
Accept: */*
Origin: http://192.168.1.66:9080
Referer: http://z11afzm1zlwvdy52d3g6luob72d48ywn.oastify.com/ref
Accept-Encoding: gzip, deflate
Connection: close

{"e_mail":"emailhere@email.com","pass":"asdfasdfadfasdfa","captcha_code":"ys2y","captcha_id":"2AYMYKZcMHXkxu3CaF1q"

Impact

An attacker can identify valid user email accounts which permits the attacker to increase the application's attack surface.