Added security testbed for n8n Exposed REST API

[YuriyPobezhymov]

No description provided.

[robert-doyensec]

Hi @YuriyPobezhymov , can you update this to include a short proof-of-concept (curl command, etc.) in the README for debug purposes?
Also, is this only for versions 0.*? Is there any way that N8N might be misconfigured in newer versions to allow unauthenticated access? You mentioned a reverse proxy misconfiguration for newer versions, so I was wondering if the detector would be able to work in that situation.

[YuriyPobezhymov]

Hi @robert-doyensec, thank you for the feedback!

I've significantly updated both the detector and testbeds after testing edge cases across multiple n8n versions and configurations - please see the updated README for full details including proof-of-concept curl commands.

To answer your questions briefly:

• PoC: added to the README with step-by-step curl commands covering vulnerable setups.
• Version scope: confirmed across all n8n 0.x releases, from early versions without user management (e.g. 0.54.0) through later 0.x releases.
• Reverse proxy / newer versions: tested as an edge case — unable to reproduce unauthenticated /rest/workflows access on any 1.x (or 2.x) deployment. n8n there enforces auth at the application layer regardless of proxy configuration, so this attack surface does not extend to modern versions.
• UI fingerprinting: removed as basic auth in the split-brain configuration blocks / while leaving /rest/* open, so relying on the UI would cause the detector to miss its primary target. /rest/settings fingerprinting works reliably across all vulnerable configurations.