From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham autolearn_force=no version=3.4.6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1682213515; bh=SDqrpJ1j5VsNQ5YRaotsamGlEaE6PI3tMBYgtI8fJFM=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=G87n6Al998GawVUmjrAeD4hNNn4/TOe4BPKv1O/hvcX09sqKVvu7+q6lfEIMslAiG M0seSZI/rYnIOxCKk980dfhFn/LIrteRGZ8ZomZzzHDEbJp5jchNBybnB8MfjYhwLP t64HBvfvxhkiMDjhHfhsG4MuN2f1JxqYgHTlCWZ+jHBGfqYuBf0rjPNBD6+PqPwEz9 e5AtN95bKU4kdrw4uGv2yk0lWOvz4PugVX/KTnqD9fe9orL3k4dvZAi1JXiHX6MiZt X91LCVLQr+jlkiLZ9RlaMq7d5vLkeT7k2813444MfKKpIutp+8RROczBU16Qw1ERbA oQcxtbfZsWF8g== Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by gnuweeb.org (Postfix) with ESMTPSA id 531F424580D for ; Sun, 23 Apr 2023 08:31:55 +0700 (WIB) Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-4edc7cc6f46so3212102e87.1 for ; Sat, 22 Apr 2023 18:31:55 -0700 (PDT) X-Gm-Message-State: AAQBX9f7tpQudY2MqhNCgWQ1/ANGhh40mLcY33f1xC2lE6SMEFCn4yGk b3ZEHD2A4MFizLoivBOUOMe8+WoUrCzFVQuLQwg= X-Google-Smtp-Source: AKy350bYg7u6N87tHCD8heTPzfYwYikxDlKWNnIpo8SwzesWfGBffDdoXXGNYHviUqGKIt2saytauFZHinbWwBt29Po= X-Received: by 2002:a05:6512:71:b0:4dc:7e7a:a72f with SMTP id i17-20020a056512007100b004dc7e7aa72fmr2544635lfo.16.1682213513293; Sat, 22 Apr 2023 18:31:53 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alviro Iskandar Setiawan Date: Sun, 23 Apr 2023 08:31:42 +0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CF ticketing system is still vulnerable To: Ammar Faizi Cc: Michael William Jonathan , "GNU/Weeb Mailing List" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: On Sun, Apr 23, 2023 at 8:28=E2=80=AFAM Alviro Iskandar Setiawan wrote: > On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote: > > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrot= e: > > > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan wrot= e: > > > > Summary: > > > > - Access from browser: {"success":false} > > > > - Access from my POC: {"success":false} > > > > - Access from XHR (real login with cookies): {"success":true, "eti= ckets": [...]} > > > > - Access from curl cmd (no cookies): {"success":true, "etickets": = [...]} > > > > > > Using real login with cookies can only get tickets that the user owns= . > > > But if I remove the cookies, it can get any ticket just like > > > previously (from curl cmd). > > > > Confirmed. I can reproduce it. > > This looks like a CDN cache to me. Using cookies will provoke cache > misses as the CDN can't decide anything about authentication. Thus, it > ends up accessing the origin server to get the response. With cookies: > < x-cache: Error from cloudfront > < age: 2 > {"success":false} Without cookies: > < x-cache: RefreshHit from cloudfront > < age: 181004 > {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-= 4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9= 492-f471a526dc84"]} -- Viro