Introduction
The Auth0 Extra for MODX CMS integrates Auth0's robust identity platform, with MODX's flexible and powerful web content management system / application framework. It goes without saying the Extra needs to be developed with the greatest attention to detail on security.
As a free-to-use, open-source package, resources to formally hire security investigators are non-existent, so we're asking the MODX, Auth0 and security communities at-large for help.
NOTE: the Auth0 Extra and Contests described herein are not affiliated nor associated with MODX, LLC or Auth0, Inc in any way. Please submit all enquiries using the Github repo's issue tracker
A Series of Contests
We're running a series of contests that will hopefully surface vulnerabilities in the application codebase. Each contest will have a goal, or "Easter Egg". Each qualifying submission will be entered into a random draw on the Remediation Date, specified in the details of each contest.
The submitter of any qualifying entry will, at their option, be credited in the package's README and description on modx.com/extras/.
To qualify, submissions must:
- Be reproducible. The exact steps taken to reproduce the exploit must be enumerated in detail. If we cannot reproduce the exploit, at our discretion we may:
- reach out to the submitter for clarifying information, or
- send the submitter a report on our failed attempt to reproduce and discard the entry.
- Be disclosed responsibly. Any submission disclosed publicly before the Remediation Date, will be disqualified. Submissions must be emailed to [email protected] and must have the exact subject line described in the contest details.
- Be unique, per submitter. All entries submitted by the same submitter, must describe unique vectors. This is to prevent the same person from submitting the same vector multiple times to game the random draw. Such submission activity, as well as any attempt to circumvent the qualification criteria (e.g. submitting from different email addresses, etc) will be grounds for disqualification. Disqualification is at our sole discretion.
- Describe an exploit of the Auth0 Extra's application codebase. The MODX installations hosting the contests happen to be deployed on MODX Cloud, with Cloud instance IDs exposed in the URL. A breach of the MODX Cloud infrastructure does not qualify as a vulnerability in the Auth0 Extra's application code, unless it can be demonstrated that the application code was directly responsible for the breach, by means such as privilege escalation or exposure of information. A vulnerability in Auth0, or the MODX application itself, does qualify if it meets all other criteria.
- Find the Egg. While we appreciate any and all security and bug submissions, the only way to run a contest is to have a quantitative goal that every submission must achieve. Thus the Easter Egg desribed in each contest must be included with the submission in order to qualify.
Contest B: "The First Gate"
- Prize: $200 USD
- Submission Subject Line: "I passed The First Gate"
- Contest START: Friday April 6th, 2018 at 11:59pm PDT
- Contest END: Friday April 27th, 2018 at 11:59pm PDT
- Remediation Date: Friday May 18th, 2018 at 11:59pm PDT
The Copper Key was never found,
We're passing the prize to this new round!
The Easter Egg is hidden here.
If you find it, we will cheer :P
The Auth0 Client has been setup with Google and Github social connections. If you use these services to login, your user will be created in the Auth0 domain, but you will not have access to the "Easter Egg" Resource. The goal is to find a vulnerability that exposes the Easter Egg—a secret 22 character string—despite the restricted access. (Enumerating 22 character strings doesn't count ;)
We've increased the attack surface and pooled the prize money from Contest A. The `auth0.JWTLogin` Snippet is called here: https://c0475.paas3.tx.modxcloud.com/jwt.html.
Clues
To reproduce what might be considered a bit of privileged information, gained via social engineering, for example, the following clues are provided:
- There is one MODX User that can access the Easter Egg, and the User's email is [email protected]
- The User also has Manager access. A vulnerability in the MODX application that can be exploited to gain Manager access, qualifies if you include the Easter Egg in your submission.
- The MODX User is logging in with username and password, not a social connection. If you can brute force or bypass Auth0's login flow, that also qualifies.
- You can study the application codebase for more clues. It's hosted on Github.
Contest A: "The Copper Key"
THIS CONTEST IS CLOSED
- Prize: $100 USD
- Submission Subject Line: "I found The Copper Key"
- Contest End: Friday March 30th, 2018 at 11:59pm PDT
- Remediation Date: Friday April 20th, 2018 at 11:59pm PDT
More
In the next few weeks and months, as we see how things are going, we will introduce more contests, and may change the structure or other aspects of the contests. Always, the goal is to reward and acknowledge the work of those who submit qualifying entries, and to improve the software. We are so very grateful for your participation.
Please let us know via email [email protected], in the comments below, or in the Github repo's issue tracker if you have any comments or suggestions.