Auth Bypass on Netlify
How Auth Bypass Manifests in Netlify
Auth bypass in Netlify environments typically occurs through misconfigured Netlify Functions, exposed environment variables, and improper handling of Netlify Identity. The serverless nature of Netlify Functions creates unique attack vectors that don't exist in traditional server environments.
One common pattern involves Netlify Functions that bypass authentication checks. Developers often assume that because the function is serverless, it's automatically protected. However, Netlify Functions execute on the edge with no built-in authentication unless explicitly implemented. An attacker can directly call these endpoints if they're not properly secured.
// VULNERABLE Netlify Function - auth bypass possible
exports.handler = async (event, context) => {
// No authentication check!
const userId = event.queryStringParameters.userId;
const user = await getUserFromDatabase(userId);
return {
statusCode: 200,
body: JSON.stringify(user)
};
};
Another Netlify-specific vulnerability involves exposed environment variables. Netlify allows developers to set environment variables in the dashboard or via configuration files. If sensitive variables like API keys or database credentials are exposed through client-side code or improperly secured endpoints, attackers can extract them.
// DANGEROUS: Exposing environment variables
exports.handler = async (event, context) => {
const apiKey = process.env.SUPER_SECRET_API_KEY; // Accessible to anyone
return {
statusCode: 200,
body: JSON.stringify({ apiKey }) // Exposes the key!
};
};
Netlify Identity misconfiguration represents another attack vector. When developers fail to properly validate Identity tokens or rely on client-side checks alone, attackers can forge or bypass authentication. The Netlify Identity widget runs entirely in the browser, making it trivial for determined attackers to manipulate.
// WEAK authentication - easily bypassed
const { user } = require('../utils/auth');
exports.handler = async (event, context) => {
if (!user) {
return { statusCode: 401, body: 'Unauthorized' };
}
// Only checks if user exists, not if they're authorized
return { statusCode: 200, body: 'Authenticated content' };
};
Cross-site request forgery (CSRF) attacks are particularly effective against Netlify sites because many developers disable Netlify's built-in CSRF protection for simplicity. Without proper CSRF tokens or same-site cookie policies, attackers can trick authenticated users into making unauthorized requests.
Netlify-Specific Detection
Detecting auth bypass vulnerabilities in Netlify requires examining both the deployed functions and the underlying configuration. The most effective approach combines automated scanning with manual code review.
middleBrick's scanner specifically targets Netlify Functions by analyzing the runtime behavior of deployed endpoints. It identifies functions that lack authentication headers, examine environment variable exposure patterns, and test for broken object-level authorization (BOLA) vulnerabilities.
Key detection patterns include:
- Functions that accept user input without validating authentication tokens
- Endpoints that return sensitive data without authorization checks
- Environment variables accessible through public endpoints
- Missing or weak CORS policies that allow cross-origin attacks
- Functions that trust client-side authentication state
Manual detection should focus on Netlify-specific configurations. Check your netlify.toml for function settings, examine all functions/ directory code, and verify Identity configuration in the Netlify dashboard.
# Check for exposed environment variables
netlify env:list
# Examine function permissions
netlify functions:invoke --name myFunction
# Test authentication bypass
curl -X POST https://your-site.netlify.app/.netlify/functions/myFunction
middleBrick provides Netlify-specific detection by scanning deployed functions without requiring access credentials. The scanner tests each function endpoint with various authentication states, attempting to access protected resources without proper authorization. It also examines the function's response patterns to identify potential information disclosure.
For comprehensive coverage, scan both your production and staging environments. Auth bypass vulnerabilities in staging can often be exploited in production if the same codebase is deployed.
Netlify-Specific Remediation
Remediating auth bypass vulnerabilities in Netlify requires implementing proper authentication at the function level and securing sensitive configurations. Netlify provides several native features to help secure your applications.
First, implement proper authentication in all Netlify Functions. Use Netlify Identity or integrate with external authentication providers like Auth0 or Firebase Auth. Never rely on client-side authentication alone.
// SECURE Netlify Function with proper auth
const { isAuthenticated } = require('../utils/auth');
exports.handler = async (event, context) => {
const { user } = await isAuthenticated(event);
if (!user) {
return {
statusCode: 401,
body: JSON.stringify({ error: 'Unauthorized' })
};
}
// Check specific permissions
if (!user.permissions.includes('read:profile')) {
return {
statusCode: 403,
body: JSON.stringify({ error: 'Forbidden' })
};
}
const userId = event.queryStringParameters.userId;
if (user.id !== userId && !user.permissions.includes('admin')) {
return {
statusCode: 403,
body: JSON.stringify({ error: 'Forbidden' })
};
}
const userProfile = await getUserProfile(userId);
return {
statusCode: 200,
body: JSON.stringify(userProfile)
};
};
Second, secure your environment variables. Never expose sensitive data through API responses or client-side code. Use Netlify's build environment for sensitive variables and ensure they're not included in your client bundles.
# netlify.toml - secure function configuration
[build]
command = "npm run build"
publish = "build"
[build.environment]
# Keep sensitive variables out of client code
NODE_ENV = "production"
[functions]
# Set appropriate timeouts and memory
timeout = 10
memory = 1024
Third, implement proper CORS policies. Netlify allows you to configure CORS at the function level or site-wide. Restrict origins to only those that need access.
// Secure CORS configuration
exports.handler = async (event, context) => {
const corsHeaders = {
'Access-Control-Allow-Origin': 'https://your-trusted-domain.com',
'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
'Access-Control-Allow-Headers': 'Content-Type, Authorization',
'Access-Control-Max-Age': '86400'
};
if (event.httpMethod === 'OPTIONS') {
return {
statusCode: 200,
headers: corsHeaders
};
}
// Authentication and authorization logic here
};
Fourth, enable Netlify Identity's built-in security features. Use JWT token validation and implement proper session management. For enhanced security, consider adding reCAPTCHA or rate limiting to sensitive endpoints.
Finally, implement comprehensive logging and monitoring. Netlify Functions provide built-in logging, but you should also track authentication failures and suspicious access patterns. Set up alerts for repeated authentication failures or access from unusual locations.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |