hi @maoning
I have good exp with airbyte, Can i take up this task ?

Hi @maoning
Good day , can i get any update on the task ?

Hi @tooryx
Can i work on this if there is no progress by assignee plz.

Hi @sekhar-ops, I do not believe that @secureness is unresponsive. I think it was mostly a triage issue on my side.
@secureness, would you still like to work on this?

~tooryx

I already have an ongoing PR as my main contribution and this was on my queue because it is the issue that I created! and you removed the queue tag now? this is in my queue already and why I'm seeing people are asking to take over my issues??? and now I'm wondering why you are letting and helping someone who doesn't even try to find a product that has a default security issue and is trying to directly ask in my issue which I put my time to research.

@secureness I think you misread my previous comment. I removed the Contributor queue because it is labeled with ai-bounty-prp which are bound by a different set of rules (see https://google.github.io/tsunami-security-scanner/2024/03/19/tsunami-network-scanner-ai-security.html)

I am actually offering you with the opportunity to work on this additionally, if you are still interested. If you are not, and only then, will I assign it to someone else.

~tooryx

By "working on this additionally" I meant on top of your currently ongoing Contributor main.

Hi @tooryx, Apologies if I came across as aggressive earlier (since I noticed the queue tag was removed).
Yes, please consider this as my main AI bounty submission. I will work on writing the plugin this week.

@tooryx
here is my detailed research:
the password for a newly created OSS version is not constant anymore from July 2024: https://docs.airbyte.com/release_notes/july_2024#-highlights (https://github.com/airbytehq/abctl/releases/tag/v0.11.0).

But we have some non-default weak usernames and passwords that can be set after installation like: user@company.example/new_password.(https://docs.airbyte.com/using-airbyte/getting-started/oss-quickstart#2-run-airbyte)

when we set it up with docker, we have two weak credentials: the default is airbyte/password and the other can be your_new_username_here/your_new_password_here.(https://docs.airbyte.com/deploying-airbyte/docker-compose)

we can have an exposed airbyte instance too. (https://docs.airbyte.com/deploying-airbyte/integrations/authentication#turning-off-authentication)

for post-auth checks, we can check for out-of-band http requests or DNS requests because airbyte can send arbitrary http request to any server we want.

Hi @secureness,

You can proceed with this one.
For the post authentication checks, you might not be able to use the callback server from the weak credential plugin, so you might have to resort to pattern matching.

Let us know how it goes.
~tooryx

@tooryx
I tried to find an endpoint that could be somehow unique compared with the other web applications.

from account settings we can get a list of connectors like the following screenshot:

The request is a POST HTTP to /api/v1/source_definitions/list_latest and the response contains a lot of data in json format.

Sorry @secureness but I am not following. Is this a question? To check that the authentication succeeded?

~tooryx

@tooryx I want to check this endpoint by parsing the json. I just wanted to let you know what exactly I'm going to do.

Thank you. I am a bit worried that the list of connectors might be different depending on the install though, no?

yes, you are right. One idea can be checking for keys of the json, not the values.
I can parse the HTML pages to reach the body or title to check for specific strings too.

I will leave it to your judgement. If the HTML content is sufficient, I would recommend to favor that approach though.

~tooryx