Static forged session cookies in http/cves/2023/CVE-2023-27524.yaml

[Klendath]

Static session cookies will result in false negative results.

Nuclei Version: 3.2.2

Template file: http/cves/2023/CVE-2023-27524.yaml

Command to reproduce:

docker run projectdiscovery/nuclei:v3.2.2 -u http://x.x.x.x:8088 -t http/cves/2023/CVE-2023-27524.yaml

target used:
docker run -d --name superset -e SUP_SECRET_KEY=CHANGE_ME_TO_A_COMPLEX_SECRET -p 8088:8088 tylerfowler/superset

Issues:

1. Time based signatures are used for the session cookies. Statically forged ones are invalidated almost immediately. This template requires a method for implementing the Flask-Unsign python module or something similar.
2. Database payloads for the cluster bomb are excessive. If the forged session token is valid and used for a nonexistent database the response is a 404 versus a 401 if the session token is invalid.

[Klendath]

I was able to develop a working solution that verifies the signature on the initial cookie and correctly signs the forged cookie. I am working through my employer's open source contribution process to get approval to submit it.

[GeorginaReeder]

Awesome that you were able to develop a solution @Klendath , thanks for the update. Looking forward to your submission!