code

How We Exploited Auth0 Misconfigurations

Written by Yuval Donana on

How We Exploited Auth0 Misconfigurations

Written by Yuval Donana on


Introduction

Auth0 is a powerful Identity Provider (IDP) solution widely used by organizations to implement secure authentication and authorization services. However, like any complex service, misconfigurations can occur, leading to potential vulnerabilities.

In this article, we will explore a common, critical misconfiguration that might be found in systems implementing Auth0 IDP and showcase a scenario where it is possible to exploit it and gain unauthorized access to the system.

What is Auth0?

It is a comprehensive identity platform that empowers developers to incorporate secure authentication and authorization services into their applications seamlessly. Serving as an Identity Provider (IDP), Auth0 relieves developers from the complexities of managing user identities by offering a range of services, including user registration, login, password management, multi-factor authentication, and single sign-on (SSO) across various platforms. It supports popular identity protocols such as OpenID Connect, OAuth 2.0, and SAML, making it compatible with multiple applications.

How Does Auth0 Work?

Auth0 work by providing centralized authentication and authorization services for applications. When a user logs in to an application that uses Auth0, the application redirects the user to Auth0’s login page. It then authenticates the user and returns an access token to the application. The application can then use the access token to authorize the user to access protected resources.

Visual Representation of the Authentication Flow

How We Accessed The Restricted System

The Scenario

The following scenario will explore a possible bypass in a web application implementing Auth0 IDP where the registration option is disabled. For the proof-of-concept (PoC), we have set up a simple application written in Flask (Python), with Auth0 implemented as the main authentication and authorization service. The tested application allows users to authenticate to the system using the Auth0 IDP and present their profile information after a successful login.

A User is Required to Authenticate the System

When a user clicks the “Login” button displayed in the above image, the system redirects the user to the configured Auth0 login screen. The registration option is disabled in the system as the system is designed to be accessible to authorized parties only.

Registration is Unavailable By Design

Exploiting the Misconfiguration

When creating a new application in Auth0, the registration option is enabled by default. As a result, when encountering a system with disabled registration that implements Auth0, it may be possible to bypass this restriction.

Exploring the Auth0 authentication API documentation, we discovered a very valuable endpoint that allows users to sign up via the Auth0 API and can be sent via POST /dbconnections/signup. This endpoint requires the following parameters:

  • client_id – The client_id parameter is a unique identifier that identifies an application requesting access to Auth0 services. 
  • connection – The connection parameter is used in the authentication API when a user logs into an application that uses Auth0. This parameter tells Auth0 which identity provider to authenticate the user with. It also specifies the identity provider the user will be authenticated with when they sign up for the application.
  • email – The user’s email address.
  • password – The password parameter is the user’s desired password. The password should adhere to the password policy configured by the developer at the Auth0 dashboard.
Auth0 Required Parameters

It is possible to obtain the client_id and connection parameter values relevant to the system’s environment, it can be done in several ways. For example, by attempting to authenticate to the system using invalid credentials intentionally, which passes those parameters automatically in the request:

Auth0
Necessary Parameters are Disclosed

After obtaining the client_id and the connection parameters, we can proceed to the next step and check whether the system supports registration via the Auth0 API. In order to accomplish this, we can send the previously mentioned POST /dbconnections/signup request along with the suitable parameters mentioned above, which appear to work successfully in our scenario:

Auth0
Performing Successful Registration to the System via the Auth0 API

In this stage, we can carry on to the login page and attempt to authenticate to the system using the newly created user, thus bypassing the restriction imposed by the application registration mechanism.

Successfully Authenticating to the System
Unauthorized Access to the Application was Achieved

Mitigation

If you have encountered the above scenarios, please follow the instructions below provided by Clear Gate for immediate mitigation and to prevent unauthorized access to your system:

To prevent this behavior, it is required to turn on the “Disable Sign Ups” feature in the application database. This can be done by navigating to the authentication tab => Database Connections => {YourApplicationDatabaseName} => Disable Sign-Ups.

Auth0
Disable Sign Ups Feature is Enabled

After performing this action, an attacker will receive the following error message when attempting to register via the Auth0 API:

Auth0
Creating New Users Via Auth0 API is Not Possible

Conclusion

Auth0 is a robust and widely adopted Identity Provider (IDP) solution, streamlining secure authentication and authorization for applications. However, as with any complex system, potential misconfigurations can arise, leading to security vulnerabilities. In this article, we explored a specific scenario where a misconfiguration in an application utilizing Auth0 IDP allowed for a critical circumvent of the registration restriction.

By leveraging the this API and obtaining the necessary parameters, it was possible to bypass the disabled registration and create a new user, even when the system was designed to prevent public registration. The flaw in the implementation was addressed through the Disable Sign-Ups feature, a mitigation method that prevents unauthorized user creation via the API.

Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in it’s deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their Auth0 security and protect valuable data from potential threats.

References