Vidoc logo

Module library

All modulesVisit vidocsecurity.com
Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Start for free

Nacos 1.x - Authentication Bypass

By kannthu

Critical
Vidoc logoVidoc Module
#nacos#unauth
Description

Nacos 1.x - Authentication Bypass

What is the "Nacos 1.x - Authentication Bypass?"

The "Nacos 1.x - Authentication Bypass" module is designed to detect a critical vulnerability in Nacos 1.x instances. Nacos is a dynamic service discovery and configuration management platform used for cloud-native applications. This module specifically targets the authentication mechanism in Nacos 1.x, which can be bypassed, leading to unauthorized access to sensitive information and potential security breaches.

This vulnerability has a severity level of critical, indicating the high risk it poses to the security of Nacos instances.

Impact

If successfully exploited, the "Nacos 1.x - Authentication Bypass" vulnerability allows attackers to bypass the authentication mechanism of Nacos 1.x instances. This can lead to unauthorized access to sensitive data, configuration settings, and potentially compromise the entire system. Attackers could manipulate the configuration, disrupt services, or gain control over the infrastructure.

How the module works?

The "Nacos 1.x - Authentication Bypass" module works by sending HTTP requests to the target Nacos instance and analyzing the responses based on predefined matching conditions. It checks for specific headers, body content, and response status codes to identify instances vulnerable to the authentication bypass.

For example, one of the HTTP requests sent by the module is:

GET /nacos/v1/auth/users?pageNo=1&pageSize=9 HTTP/1.1
Host: [target_host]
User-Agent: Nacos-Server

The module then applies matching conditions to the response, including checking for the presence of the "Content-Type: application/json" header, specific keywords in the response body (such as "username" and "password"), and a response status code of 200. If all conditions are met, the module identifies the Nacos instance as vulnerable to the authentication bypass.

It's important to note that this module is designed for detection purposes only and does not perform any actual exploitation or modification of the target system.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/nacos/v1/auth/users.../v1/auth/users?pageN...
Headers

User-Agent: Nacos-Server

Matching conditions
word: Content-Type: application/jsonand
regex: "username":, "password":and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability