You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Thiago Araújo <th...@ventiv.com.br> on 2017/11/21 04:06:46 UTC
Security Issue "token" "authToken" hijacking
Hello everyone,
I will be very brief in my story.
We recently tried to implement guacamole for about 2500 users or more. However, guacamole did not respond well to pen testing. The pen testing team has found a way to hijack the authToken, and connect to the guacamole interface of any other computers on the network.
Guacamole was not approved because it is an environment with a high rate of fraud.
The same team also explored the authToken flaw in the cameyo and glypto enterprise.
One of the ways to exploit is to copy the "token" from the GUAC_AUTH cookie.
Another way, is through the use of the REST API, using the callback-extension.
We would very much like to approve guacamole at our institution, so I leave the question here: has anyone had the same problem or would you have ideas on how to protect guacamole against the authToken hijacking?
Thank you all.
Atte.
Thiago
Re: Security Issue "token" "authToken" hijacking
Posted by Mike Jumper <mi...@guac-dev.org>.
On Nov 20, 2017 20:07, "Thiago Araújo" <th...@ventiv.com.br>
wrote:
Hello everyone,
I will be very brief in my story.
We recently tried to implement guacamole for about 2500 users or more.
However, guacamole did not respond well to pen testing. The pen testing
team has found a way to hijack the authToken, and connect to the guacamole
interface of any other computers on the network.
Hi Thiago,
Guacamole's auth token is no different than any other webapp session token,
and needs to be transmitted over encrypted channels for things to be
secure. What you describe (intercepting the session token) is not possible
with proper transport encryption between users and the Guacamole server.
If you genuinely believe you have found a flaw, please use the
private@guacamole.apache.org list to discuss this further. A public forum
like user@ is not the place to report such things.
Otherwise, please ensure you have proper SSL/TLS in front of Guacamole, and
that you do not allow unencrypted Guacamole traffic over an untrusted
network.
- Mike