How I Exploited an Auth0 Misconfiguration to Bypass Login Restrictions

Hey everyone 👋,

I recently found an interesting bug while hunting on a program, and I’m excited to share it with you all. I am sharing this write-up after a very long time because I was too busy with my job, college, learning new stuff, and so on personally 😅. But now, finally, I am making time to share this with you, so I hope you’ll show some love and encouragement to inspire me to write more. Moreover, I believe this write-up will definitely help you learn something new.

So, without further delay, let’s delve into the details of my discovery.

I found a login panel where users can only log in; there is no signup page. The registration/signup option is disabled in the system, as it is designed to be accessible only to authorized parties.
I decided to do some fuzzing to see if I could uncover any hidden signup pages or sensitive endpoints. Unfortunately, my efforts came up empty-handed 🥲. But then, I randomly put in an email and password on the login page and intercepted the request using Burp.

While intercepting requests with Burp Suite, A following type of POST request was generated:-

When I saw the request body structure, it struck me that this web app is using Auth0 because I had recently read a cool write-up by Nauman Khan about Auth0 misconfigurations (https://naumankh4n.medium.com/a-click-can-cause-1600-auth0-misconfig-9234aedad55c), which explains how attackers could create accounts using Auth0’s API by sending a POST request to the /dbconnections/signup endpoint, even if the website doesn’t have a sign-up option. So, I thought, maybe this website’s sign-up is disabled, but Auth0 might still let us create accounts.

So I quickly sent the intercepted request to Burp repeater and modified the request to:

POST /dbconnections/signup HTTP/2
Host: xyz.web.example.com
Content-Length: 198
Content-Type: application/json
Origin: https://xyz.web.example.com
Referer: https://xyz.web.example.com/

{"client_id":"<id>","username":"admin@attacker.com","password":"Admin@123","connection":"<value>","credential_type":"http://auth0.com/oauth/grant-type/password-realm"}

I added /dbconnections/signup endpoint instead of /co/authenticate.Secondly, I changed the name of the username parameter to email and realm to connection.

This endpoint requires specific parameters:

client_id: A unique identifier for the application requesting access to Auth0 services.connection: Specifies the identity provider for authentication.email: The user’s email address.password: The desired password adhering to the configured password policy.

After modifying the request, I just sent the modified request to create an account. And guess what happened — I got a 200 OK response with the body {“_id”:”<id>”,”email”:”admin@attacker.com”,”email_verified”:false}. It means I successfully signed up.

Performing Successful Registration to the System via the Auth0 API

By following these steps, an attacker can exploit the misconfiguration in Auth0 and bypass the intended registration mechanism, creating an unauthorized account and gaining access to the application.

After that, I simply used the newly created credentials to log in to the application, and I was successfully logged into the web application.

Now, let’s shed some light on Auth0:

What is Auth0?

Auth0 serves as an authentication platform widely adopted by websites and applications for managing user identities and ensuring secure access to their services. It offers various workflows to seamlessly integrate login and registration processes.

The Misconfiguration:

By default, Auth0 enables the registration option when creating a new application. However, if this setting isn’t configured properly, it can pose a significant security risk. Even if a system disables registration but implements Auth0, there’s a chance of bypassing this restriction.

Mitigation:

So, what can you do if you find yourself in a similar predicament? Clear Gate recommends the following steps to mitigate the risk and prevent unauthorized access:

To thwart such exploits, ensure that the “Disable Sign Ups” feature is activated in the application database settings. You can achieve this by navigating to the authentication tab => Database Connections => {YourApplicationDatabaseName} => Disable Sign-Ups.

Disable Sign Ups Feature is Enabled

With this feature enabled, any attempt to register via the Auth0 API will result in a clear message indicating that public sign-up is disabled.

Creating New Users Via Auth0 API is Not Possible

And that’s it, folks! I hope this write-up offers you valuable insights. Thank you for taking the time to read. If you have any thoughts or questions, please feel free to share them in the comments section.
Thank you again, and happy bug hunting!

My Linkedin: https://www.linkedin.com/in/amjadali110/