LAB: Role Based Access Control
In this post I completed Stage 1 and Stage 3. To complete the stages I attacked against OWASP 10 2017 A5: Broken Access Control vulnerability – the application had flaws so that I could do admin-stage actions as a normal user.
My solution to Stage 1:
I logged in as Tom Cat. I browsed to “Staff List page” and looked the source code from inspector for “ViewProfile” and “Logout” buttons. The first name guess for a button to delete a user would be “DeleteUser”. I modified “ViewProfile” html code in inspector and changed value to “DeleteProfile”:
<input name=”action” value=”DeleteProfile” type=”submit”>
And then I clicked ViewProfile button and completed the Stage 1.
My solution to Stage 3:
The solution for Stage 3 was similar to the solution for Stage 1. I looked the source code for the same view, this time for the selected employee (Tom Cat). It had value 105 for the parameter which was most likely to be Tom Cat’s employee id. I tried to change that to 104:
<option selected=”” value=”104″>Tom Cat (employee)</option>
And then I clicked ViewProfile and got Eric Walker’s profile page instead of Tom’s – Stage 2 succeeded.
Mitre Att&ck: Exploit Public-Facing Application
“The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior.” https://attack.mitre.org/techniques/T1190/
The vulnerabilities above (WebGoat LAB) use Mitre Att&cks technique “Exploit Public-Facing Application”. The application in WebGoat had design vulnerability that enabled to access sensitive, admin-stage data as a normal user. I used inspector to modify html code and send requests, but also for example mitmproxy could be used to exploit this kind of vulnerability.
This post is a homework 2 for Tero Karvinen’s course Penetration Testing.
// Irene Kunnari