Authorization

Url Parameter

You can start accessing information and see the pattern used: /infos/1, /infos/2.

You can access the information using a method similar to the one seen previously.

You cannot just directly access the information, however you can see that you are now able to edit information. You can use this feature to access information from other users just by incrementing the number in the URL.

Adding Extention

Here, most of the code is generated automatically and access to different formats (HTML, JSON) for the same database record, is also done automatically.

For example, by accessing /users/1, you will see a HTML page with the first user's details. However, the scoring key has been masked. You can add /users/1.js or /users/1.json

Fortunately, you should be able to access the JSON representation of this user's details by modifying the URL.

Mass Assignment

When people started building websites with databases to store information, they had to do write a lot of SQL manually. However, some people realized that this was not the best solution and started working on smarter alternatives, building Object-Relational Mapping (ORM) to easily query the database without any SQL knowledge.

For example, in Ruby (using ActiveRecord), you can do things like:

@user = User.find_by_name('pentesterlab')

This will automatically generate and execute the query, then retrieve the result in a User object.

Another really handy usage is to automatically create and update an object from a hash:

@user = User.create(myhash) 
[...]
@user.update_attributes(anotherhash)

Unfortunately, this useful feature comes with a security price.

If a developer did not correctly ensure that attributes of the object @user were protected, an attacker could arbitrarily overwrite any of these attributes. In this section, we will see some common examples of these types of issues: Mass-Assignment.

In this example, you can register a user. The application has two levels of privileges:

  • User.

  • Admin.

The admin privilege is set using the attribute admin on the object user. If you look closely at the format used by the web application: user[username] and user[password], you should be able to find a way to get admin access. Three methods can be used:

  • Modify the page directly using a browser extension.

  • Save the page and modify offline to create a page that will send the right payload to the right URL.

  • Use a proxy to intercept the legitimate request and add your parameter (the fastest option).

// Example
user[username]=admin&user[password]=admin&submit=Submit

user[username]=admin&user[password]=admin&submit=Submit&user[admin]=true

To set your organisation using mass-assignment.

By convention (can be changed programmatically) when a developer uses ActiveRecord (Ruby-on-Rails' most common data mapper), and a class Organisation has multiple User's, the relation is managed using a field organisation_id inside the User class.

The following code is used in Ruby:

class User < ActiveRecord::Base
  belongs_to :organisation
end

class Organisation < ActiveRecord::Base
  has_many :users
end

You can guess the fact that organisation is used by visiting the organisation page and looking at the URL. You will see that the class is probably named Organisation. And therefore the key in the users table is likely to be organisation_id.

PreviousAuthenticationNextClient Side Attacks

Last updated