Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Jenkins Open User registration

By kannthu

Medium
Vidoc logoVidoc Module
#misconfig#jenkins#apache#tomcat
Description

What is "Jenkins Open User registration?"

The "Jenkins Open User registration" module is designed to detect a misconfiguration in the Jenkins software. It targets the Jenkins application, which is an open-source automation server used for continuous integration and delivery of software projects. The severity of this module is classified as medium. The original author of this module is DhiyaneshDk.

Impact

If the Jenkins Open User registration is misconfigured, it allows unauthorized users to register and access the Jenkins dashboard. This can lead to potential security risks, as unauthorized users may gain unauthorized access to sensitive information or perform malicious activities within the Jenkins environment.

How the module works?

The module works by sending a GET request to the "/signup" path of the Jenkins application. It then applies several matching conditions to determine if the registration page is accessible:

- The response body must contain the phrase "Create an account! [Jenkins]". - The response header must include the content type "text/html". - The response status code must be 200 (OK).

If all of these conditions are met, the module identifies the misconfiguration and reports it as a vulnerability.

For example, the module sends a GET request to "/signup" and expects a response with a status code of 200, a content type of "text/html", and the phrase "Create an account! [Jenkins]" in the response body.

It is recommended to turn off user registration in Jenkins to mitigate this vulnerability.

Reference: https://www.acunetix.com/vulnerabilities/web/jenkins-open-user-registration/

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/signup
Matching conditions
word: Create an account! [Jenkins]and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability