***Dislaimer: *This was disclosed to the vendor as of Early October 2014 and seems to be resolved as of the date of this post – 2014-11-13 as the method of executing the login bypass no longer works. I have worked with the vendor in terms of using their products, services, and also received training through work. Whilst the following reveals an oversight and logic error on the part of the developers they hired, they handled the report of the flaw seriously and reacted in a reasonable timeframe to resolve the flaw.
This web app is a web application/network scanner used to identify security flaws, the application itself allows the scheduling of scans, history of previous scans, and a management tool for detected issues. The system is effectively a SaaS version of Nessus and is available on the public internet.
Over a year ago the subscription of this service lapsed yet the emails reporting issues on scheduled scans still flowed on a regular basis, so it seems the service is running in the background and not checking whether the scans are licensed to run. To compound the issue some of the scan targets were no longer in the possession of the organisations who authorised the scan(s).
For all intents and purposes you would expect such as system to implement a number of checks at all levels to ensure a user is valid, said user is licensed, and that any scans only run on licensed users; lets see if we scan still access that account.
After attempting a login, i was shown an error message about licensing – so at this level you have been rejected from the system, however if you look at the URL you will see it ends /login.
So lets remove it… this results in the dashboard appearing and bypassing the license check, at this point its clear that the licensing check is only performed on the /login page.
The licensing page, showing the expired license.
The scans performed past the license expiry date on the automated schedule.
Going forward there are a few issues with the system.
- IP’s and web applications are scanned past the expiry of a license – several of these IP’s were no longer in possession of the clients who had given authorisation to be scanned.
- As an extension of point 1 – we could not stop the scans or remove targets from the scan due to the lack of a license, this should have been implemented in the system once the license expired.
- Check all of the criteria needed for a user on the system at all times and on all pages, in this case the license/subscription check was only performed on login and the system still set the cookie allowing the bypass to occur.