Overview
The apiida API Gateway Manager login screen and forgot password page is vulnerable to a Host Header Injection (tested on v2023.2.2). The value of the Host Header is used on the page for the login request and forgot password request. If an attacker manages to alter the host header of a legitimate user while visting the login page. It is possible to change the host header to any domain under the attackers control. When the legitimate user logs into the application it is possible to steal user credentials.
Setup
The apiida API Gateway Manager software (v2023.2.2) should be downloaded (https://apiida.com/product/apiida-api-gateway-manager/) and installed. There is a 30 day free trial available. Setting it up can be done by following the instructions (https://www.youtube.com/watch?v=0glynREqRcc). Do not select any different authentication method but keep the standard after setup. As shown in the image below.
Vulnerability steps
After the setup it should now be possible to visit the login page. If using Docker it can be found by navigating to https://localhost/ as is shown in the image below:
Checking the source code of the login page shows a loginForm with an action to https://localhost as is shown in the image below:
BurpSuite (https://portswigger.net/burp) is used as a Proxy to tamper with the Host header. So before navigating to https://localhost the user has to intercept the request as is shown in the image below:
And change the Host header from localhost to a domain under the attackers control. In this case the burp collaborator is used for an external domain and that value is nsjwruel0gdai636vx0kxwwi89e02rqg.oastify.com in my case. So I change it to that value in the Host header and forward the request.
When checking the source code of the login page and searching for nsjwruel0gdai636vx0kxwwi89e02rqg.oastify.com will show that the value has changed to the domain used in the host header:
If a legitimate user now fills out his credentials and clicks on the login button.
Will show the request being send to a domain under the attacker his control. In this case it is received in the Burp Collaborator:
And checking the first request will show the username and password being stolen as shown in the image below:
CVSSv3.1 Score
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N – (3.1)
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50093
https://apiida.com/product/apiida-api-gateway-manager/
https://portswigger.net/burp
https://portswigger.net/web-security/host-header
https://www.youtube.com/watch?v=0glynREqRcc
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N