contracts icon indicating copy to clipboard operation
contracts copied to clipboard
verified publisher icon FundRequest

Bug Title:Broken Authentication and Session Management

Open yashahmed1337 opened this issue 6 years ago • 0 comments

Hello there I have noticed there is (Broken Authentication and Session Management) bug in your website.

POC: Steps: We have to use two browser (Browser A) and (Browser B)

1 : Open (Browser A) and go to "https://key.fundrequest.io/auth/realms/fundrequest/protocol/openid-connect/auth?response_type=code&client_id=fundrequest_dev&redirect_uri=https%3A%2F%2Ffundrequest.io%2Fsso%2Flogin&state=efff0a99-79e7-4c60-a883-12ebaeb384e7&login=true&scope=openid" and login your " fundrequest" account with your valid email and password.

2 : Open (Browser B ) and (Similarly) go to "https://key.fundrequest.io/auth/realms/fundrequest/login-actions/reset-credentials?client_id=fundrequest_dev&tab_id=M58shjzspTU&response_type=code&client_id=fundrequest_dev&redirect_uri=https%3A%2F%2Ffundrequest.io%2Fsso%2Flogin&state=efff0a99-79e7-4c60-a883-12ebaeb384e7&login=true&scope=openid" and get a  password reset token .

3 : Suppose (Browser A is an shared computer's browser, and you left your account logged in at that computer. Then you changed your account password from (Browser B). By getting a password reset token link Now Go to (Browser B) and change your account password.

Step 4 : When you change your account password at (Browser B) , the session at (Browser A ) should expire and the account should automatically logged out.

Step 5 : Go to (Browser B ) , and visit your account page and refresh the page. **You will notice that even after changing the account password at (Browser B) , the session at (Browser A) didn't expired which can cause major problems. And also after that you can change user information's.

Impact Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions. Because “walk by” attacks are likely for many web applications, all account management functions should require re-authentication even if the user has a valid session id.

yashahmed1337 avatar Jan 25 '20 17:01 yashahmed1337