Angular-ing for AuthZ, Problematic anti-patterns in Single Signal On Programs – ASPEN LABS

Authentication is likely one of the most important parts of any software. It’s maybe unsurprising that many select to make use of Single Signal On (SSO) from Google, Microsoft, and others. As an alternative of managing a complete login move, forgotten password move and different authentication patterns, SSO offloads this workload to the SSO supplier. Whereas this has quite a few benefits for growth groups, these programs are constructed for third events passing round tokens through APIs; if these tokens aren’t dealt with with care, all the login system might be exploited.

Utilizing publicly obtainable info and APIs, the ASPEN group recognized a flaw within the SSO login move of a Fortune 500 firm within the well being and wellbeing sector and promptly reported it. Whereas this particular vulnerability has now been resolved and mitigated, it is very important acknowledge a number of the flaws in login flows that might simply be replicated in different environments and functions.

Bypassing an SSO login move

The ASPEN group initially recognized this Angular software with SSO after performing subdomain reconnaissance on a well known massive healthcare model. Angular web sites are a goldmine for API analysis since these web sites sometimes supply a extremely interactive JavaScript entrance finish that then calls REST API endpoints. A typical login move can be:

1. It could examine for a logged in person (through Microsoft SSO) and redirect to the SSO web page if there’s not.
2. It could name the Microsoft Graph API to retrieve the person’s info. Specifically, it needed the e-mail deal with.
3. The e-mail deal with was utilized in a person search API to retrieve the person’s info. This included information like title, entry position, and areas the person is allowed to entry.
   1. This API (and all others) on the web site used API key authentication, and that key was current within the client-side JavaScript.
4. The login information is saved to session storage. The position and area are used later to regulate and current information.

We carried out analysis to search out one of the best ways to achieve entry into the app with as little modification as doable. The person search API works by sending an e mail deal with, so we tried to find doubtlessly legitimate firm emails on LinkedIn and Google. We tried varied emails and even some wildcard patterns. Nothing was profitable in getting the API to disclose person info till a price of “all” was used. When that was used, it returned all of the person info within the system:

We now know all of the legitimate person emails and with this, we have been able to make adjustments to the Angular code.

Angular code modifications

The purpose of our modifications was to trick the app into pondering that the SSO login succeeded, and set the logged in e mail to at least one that’s identified to be a World Admin. The app needed to be modified 3 alternative ways:

First, just a few adjustments needed to be made to the login operate to trick it into pondering a legitimate person is logged in:

Second, there was a problem the place some pages would redirect to SSO login, regardless of the person having the correct entry position. The simplest strategy to repair and permit entry to all pages was to easily short-circuit the Angular canActivate operate and return true in all circumstances:

Lastly, we modified the Microsoft Angular Authentication Library’s activateHelper operate to trick it into pondering an account is logged in. This stopped one other case of being redirected to the SSO login:

As soon as all that was performed, we had World Admin entry to all the app and will entry the data of 7½ million customers:

Reporting to the corporate

The Traceable ASPEN group put collectively a report and despatched it by way of the corporate’s vulnerability disclosure program. The timeline is as follows:

• September 18, 2023: Report despatched. 12 minutes later, the corporate responded confirming they acquired the report.
• September 20, 2023: The corporate confirmed the problem was legitimate and are engaged on fixing it. At this level all the web site had been taken offline, so the problem was basically contained.

As seen from the timeline, the corporate’s response to our report was exemplary. Typically it takes weeks, if not months, to get an acknowledgement and remediation performed. This was certainly one of our greatest experiences participating with a vulnerability disclosure group, and we imagine that they’re a fantastic mannequin for effectivity and others ought to try for the same response. We shared this weblog with the corporate previous to publication for his or her approval. On their request, we have now redacted their title.

Classes & takeaways

The Traceable ASPEN group was in a position to determine this API safety vulnerability earlier than it might have been abused. Our suggestions for comparable SSO Angular functions are:

1. Cease and assume earlier than together with any API keys in your code. Take into consideration what might occur for those who printed the important thing for the world to see. If you happen to should embody them, make sure that they’re narrowly scoped to particular operations they’re wanted for. Keep in mind that these keys present long-term entry to information. For APIs meant to be accessed by logged in customers, API key authentication isn’t an excellent match.
2. Absolutely implement SSO login tokens and login. On this case, as a substitute of utilizing the OAuth token, they used API keys. All the corporate’s APIs ought to have used this SSO entry token to authenticate as a substitute of an API key. It is usually essential to examine what permissions the person has and correctly deny entry to API sources the person isn’t allowed to make use of.
3. Test to guarantee that admin APIs are properly protected. The person search API with the “email=all” question possibility appears to be an admin API, but it surely was accessible by a person API key. That is what known as a BFLA (Damaged Perform Stage Authorization) vulnerability. Be sure that all APIs implement correct entry controls to keep away from introducing backdoors into your web sites.

How Traceable can assist

Traceable ASPEN supplies vendor impartial and menace pushed analysis in API safety, investigating the most recent breaches with world main experience and evaluation. We imagine in securing the world’s APIs with actionable insights from throughout the trade. We’re offensively minded, defensively pushed, and targeted in your safety. 

Get the ASPEN benefit, be a part of the most important names in finance and software program and safe your most beneficial API belongings with Traceable’s full API safety platform. From assault floor discovery, superior mitigation and blocking to menace intelligence, see how we are able to rework your API safety throughout the API lifecycle and request a demo at the moment.