All geek questions in one place

Phil Strujon REST server - is there really a security vulnerability in Digest Auth or am I misunderstood something?

I recently uploaded Phil Stroujon's REST server for CodeIgniter. I looked at the source code, and when I came to Digest authentication, I saw the following code:

if ($this->input->server('PHP_AUTH_DIGEST')) { $digest_string = $this->input->server('PHP_AUTH_DIGEST'); } elseif ($this->input->server('HTTP_AUTHORIZATION')) { $digest_string = $this->input->server('HTTP_AUTHORIZATION'); } else { $digest_string = ""; }

And a little later, after some checks for the absence of $ digest_string and the presence of a username:

 // This is the valid response expected $A1 = md5($digest['username'].':'.$this->config->item('rest_realm').':'.$valid_pass); $A2 = md5(strtoupper($this->request->method).':'.$digest['uri']); $valid_response = md5($A1.':'.$digest['nonce'].':'.$digest['nc'].':'.$digest['cnonce'].':'.$digest['qop'].':'.$A2); if ($digest['response'] != $valid_response) { header('HTTP/1.0 401 Unauthorized'); header('HTTP/1.1 401 Unauthorized'); exit; }

On Wikipedia, I see the following text about HTTP Digest Auth:

For subsequent requests, the hexadecimal request counter (nc) must be greater than the last used value, otherwise the attacker can simply โ€œplayโ€ the old request with the same credentials. It depends on the server to ensure that the counter is incremented for each of the nonce values โ€‹โ€‹that it issued, accordingly rejecting any bad requests.

The server must remember the nonce values โ€‹โ€‹that it recently created. It can also remember when each nonce value was released, expiring them after a certain time. If an expired value is used, the server should respond with the status code "401" and add stale = TRUE in the authentication header, indicating that the client should resend with the new one provided without use, without asking the user for a different username and password.

However, I see nothing about checking cnonce, nc, or nonce in the source code. Does this mean that someone who registered a request from the client to the server that transmitted the authentication can simply โ€œreplayโ€ it in the future and get a new resource value?

Is it really vulgar? Or didnโ€™t I understand something?

+4
source share
1 answer

I noticed this too, looking at codeigniter-restserver. It is vulnerable to repeated attacks because, as you said, it does not use nonce.

Digest authentication requires a handshake:

  • the client executes the request with authorization. It will not work because the client does not yet know that nonce
  • the server responds with a WWW-Authenticate header that contains the correct nonce value to use
  • the client makes the same request using nonce specified in the server response Server
  • validates matches and provides the requested URL.

To do this, you need to start a session on the REST server in order to remember nonce. The lightweight nonce provisioning scheme is always unique to base it on the current time using a function like uniqid ()

0
source

Source: https://habr.com/ru/post/1479487/

More articles:


All Articles