From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alviro.iskandar@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=ham
	autolearn_force=no version=3.4.6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1682213515;
	bh=SDqrpJ1j5VsNQ5YRaotsamGlEaE6PI3tMBYgtI8fJFM=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=G87n6Al998GawVUmjrAeD4hNNn4/TOe4BPKv1O/hvcX09sqKVvu7+q6lfEIMslAiG
	 M0seSZI/rYnIOxCKk980dfhFn/LIrteRGZ8ZomZzzHDEbJp5jchNBybnB8MfjYhwLP
	 t64HBvfvxhkiMDjhHfhsG4MuN2f1JxqYgHTlCWZ+jHBGfqYuBf0rjPNBD6+PqPwEz9
	 e5AtN95bKU4kdrw4uGv2yk0lWOvz4PugVX/KTnqD9fe9orL3k4dvZAi1JXiHX6MiZt
	 X91LCVLQr+jlkiLZ9RlaMq7d5vLkeT7k2813444MfKKpIutp+8RROczBU16Qw1ERbA
	 oQcxtbfZsWF8g==
Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45])
	by gnuweeb.org (Postfix) with ESMTPSA id 531F424580D
	for <gwml@vger.gnuweeb.org>; Sun, 23 Apr 2023 08:31:55 +0700 (WIB)
Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-4edc7cc6f46so3212102e87.1
        for <gwml@vger.gnuweeb.org>; Sat, 22 Apr 2023 18:31:55 -0700 (PDT)
X-Gm-Message-State: AAQBX9f7tpQudY2MqhNCgWQ1/ANGhh40mLcY33f1xC2lE6SMEFCn4yGk
	b3ZEHD2A4MFizLoivBOUOMe8+WoUrCzFVQuLQwg=
X-Google-Smtp-Source: AKy350bYg7u6N87tHCD8heTPzfYwYikxDlKWNnIpo8SwzesWfGBffDdoXXGNYHviUqGKIt2saytauFZHinbWwBt29Po=
X-Received: by 2002:a05:6512:71:b0:4dc:7e7a:a72f with SMTP id
 i17-20020a056512007100b004dc7e7aa72fmr2544635lfo.16.1682213513293; Sat, 22
 Apr 2023 18:31:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAOG64qNpZq0Q0OCKgKuNWSX=BG+y-az5_YObgUt1vPfnD1pXPg@mail.gmail.com>
 <ZEMtOzT8PnppTLkK@biznet-home.integral.gnuweeb.org> <CAOG64qMUTuD2BZZiEZsjw=ivGfkv2Tu28Nr7Ar808NptvU0idw@mail.gmail.com>
 <ZEMx695Kl6rmZUEv@biznet-home.integral.gnuweeb.org> <ZENIBgfiQSnZcGS6@biznet-home.integral.gnuweeb.org>
 <CAOG64qO-G66HPBBmsDs80fgfCQrN2o1oSZ720i2TJSMn67cgpw@mail.gmail.com>
 <CAOG64qMi=1oM+iEKZmoQQWonDzE1ZBkfA5pCNmF2LQYQcK8KRw@mail.gmail.com>
 <ZERoaUptOd5Zq0gj@biznet-home.integral.gnuweeb.org> <CAOG64qPCF=iQVTwFzk=q0SHet2h+71cxJt3=jDuV-0Pf1Td3Xw@mail.gmail.com>
 <CAOG64qN_prvKLJ21A14zphG8UOXCN6OQ1dOQpuH+KEtr-SHgbw@mail.gmail.com>
 <ZERvkyIY5kz6vH7m@biznet-home.integral.gnuweeb.org> <CAOG64qPSwNb944tUzUm+TjCXZYJPUnBA0m4Q71-6mO6Bx3T4QQ@mail.gmail.com>
In-Reply-To: <CAOG64qPSwNb944tUzUm+TjCXZYJPUnBA0m4Q71-6mO6Bx3T4QQ@mail.gmail.com>
From: Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
Date: Sun, 23 Apr 2023 08:31:42 +0700
X-Gmail-Original-Message-ID: <CAOG64qOCKhBCRtH6bhoZLJG5sz7ifdt4AzPZtZnbEnG+4hqKAQ@mail.gmail.com>
Message-ID: <CAOG64qOCKhBCRtH6bhoZLJG5sz7ifdt4AzPZtZnbEnG+4hqKAQ@mail.gmail.com>
Subject: Re: CF ticketing system is still vulnerable
To: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Cc: Michael William Jonathan <moe@chocola.dev>, "GNU/Weeb Mailing List" <gwml@vger.gnuweeb.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <gwml.vger.gnuweeb.org>

On Sun, Apr 23, 2023 at 8:28=E2=80=AFAM Alviro Iskandar Setiawan wrote:
> On Sun, Apr 23, 2023 at 6:36=E2=80=AFAM Ammar Faizi wrote:
> > On Sun, Apr 23, 2023 at 06:23:18AM +0700, Alviro Iskandar Setiawan wrot=
e:
> > > On Sun, Apr 23, 2023 at 6:11=E2=80=AFAM Alviro Iskandar Setiawan wrot=
e:
> > > > Summary:
> > > > - Access from browser: {"success":false}
> > > > - Access from my POC: {"success":false}
> > > > - Access from XHR (real login with cookies):  {"success":true, "eti=
ckets": [...]}
> > > > - Access from curl cmd (no cookies):  {"success":true, "etickets": =
[...]}
> > >
> > > Using real login with cookies can only get tickets that the user owns=
.
> > > But if I remove the cookies, it can get any ticket just like
> > > previously (from curl cmd).
> >
> > Confirmed. I can reproduce it.
>
> This looks like a CDN cache to me. Using cookies will provoke cache
> misses as the CDN can't decide anything about authentication. Thus, it
> ends up accessing the origin server to get the response.

With cookies:
> < x-cache: Error from cloudfront
> < age: 2
> {"success":false}

Without cookies:
> < x-cache: RefreshHit from cloudfront
> < age: 181004
> {"success":true,"etickets":["https://eticket.kiostix.com/e/6bfbaea6-d318-=
4c11-89d0-9637fec4a0d2","https://eticket.kiostix.com/e/18b368dd-e486-4f6f-9=
492-f471a526dc84"]}

-- Viro