Enketo 6.2.1 - Auth-Bypass, SSRF, and XXE Browser Abuse to File Read

contact@rodolpheg.xyz (0xRo) — Sat, 07 Feb 2026 00:00:00 +0000

Introduction

Original post: OffenSkill - Enketo 6.2.1 - Auth-Bypass, SSRF, and XXE Browser Abuse to File Read

This training session was focused on white-box code review, application, and system runtime introspection.
We wanted to work on a JavaScript backend framework and Enketo Express seemed to be a good candidate. The source code is available on GitHub - enketo/enketo-express and the version we assessed was the version 6.2.1, built with the official Dockerfiles.

Enketo is a cross platform software used to (quoting):

Amazon AppSec CTF: HalCrypto

contact@rodolpheg.xyz (0xRo) — Sun, 21 Sep 2025 00:00:00 +0000

Executive Summary

Challenge: HalCrypto
Category: Web Security
Vulnerability: JWT validation bypass via URL confusion with @ symbol
Impact: Authentication bypass leading to admin access
Flag: HTB{r3d1r3c73d_70_my_s3cr37s}

Vulnerability Overview

Attack Flow Diagram

graph TD
 A[User Login + Attacker JWT] --> B[AuthMiddleware]
 B --> C[Extract JKU URL from Header]
 C --> D{Validate JKU URL<br/>lastIndexOf check}
 D -->|"URL starts with AUTH_PROVIDER<br/>string-based comparison"| E[PASSES]
 D -->|"Does not start with AUTH_PROVIDER"| R[Rejected]

 E --> F["Fetch JWKS from JKU URL"]
 F --> G["JWT Verification with<br/>attacker's public key"]
 G --> H[Auth Bypass]
 H --> I[Flag]

 subgraph "URL Confusion"
 J["Validator sees:<br/>http://127.0.0.1:1337@attacker.com/...<br/>starts with AUTH_PROVIDER ✓"]
 K["HTTP client connects to:<br/>attacker.com<br/>treats 127.0.0.1:1337 as credentials"]
 end

 D -.-> J
 F -.-> K

Source-to-Sink Analysis

1. Entry Point - JWT Authentication (Source)

The vulnerability starts when the AuthMiddleware processes JWT tokens:

Auth Bypass on RORO's blog