Part 3 IDOR files tokens Demo
Video Activity
This lesson offers a demonstration of IDOR with files and use of tokenization and focuses on working with files and file names and the resulting use of tokenization to mitigate security risks. Users select a file to view and displays the content. In this lesson, Burp Suite is used to intercept requests to see if there is an insecure object referenc...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Course
Difficulty
Intermediate
Video Description
This lesson offers a demonstration of IDOR with files and use of tokenization and focuses on working with files and file names and the resulting use of tokenization to mitigate security risks. Users select a file to view and displays the content. In this lesson, Burp Suite is used to intercept requests to see if there is an insecure object reference. If one is found, a request is sent to the repeater and a decoder is used to copy the contents and replace the text file with the boot ini request file which allows us to see the contents of the boot ini file.
Video Transcription
00:04
Hello and welcome to the cyber very secure coding course. My name is Sonny Wear, and this is AWAS Top 10 for 2013 a four insecure direct object reference demo. And that's an insecure direct object reference when working with files. And then we're going to see
00:23
the subsequent use of toe organization to prevent this.
00:28
This is the demo for insecure direct object reference in regards to working with files, file names
00:36
and then the subsequent use of token ization in order to prevent or mitigate this security risk.
00:44
So we're actually going to use Mattila Day, and how you get to the screen is you're going to go to a four text file viewer,
00:57
and
00:58
there's a drop down list here that allows the user to select a file to view. And we could certainly do that.
01:06
You can see it just displays the contents of that file on the page.
01:11
Now for security level zero. What I want to do is I want to actually intercept this particular request. Enberg sweet
01:22
and see if there is an insecure direct object reference. If I can reference the file directly
01:30
and so let's go ahead and do that now turn the interceptor on
01:36
click view file.
01:38
Burb suite has captured it. And sure enough, it looks like the text file is referenced directly, so I can probably use this to my advantage. What I'm gonna do is I'm gonna go ahead and send this over to the repeater,
01:56
and then I'm going to
01:59
actually
02:00
use the decoder to
02:04
see if I can instead put my boot. I and I file reference there. So this was done in another attack for the dot dot slash the director to reversal. But all you can,
02:17
all you need to do is just type in dot, dot's forward, slash, dot, dot forward slashed up the floor side stepped up forward slash
02:25
boo dot i and I make sure that you encode that as you are. Well,
02:30
and then copy
02:32
the contents of that and replace
02:38
your text file
02:39
with your your Ellen coded boot dot I and I referenced file. Let's go ahead and forward that in turn off our receptor.
02:50
And sure enough, we get to see the contents of the boot I and I file. And this is because we're directly referencing the file itself.
03:00
Okay, so let me go back to burp, and I'm actually going to click to go. This will give me my response, but I want to send this request over to the compare er
03:16
and so that's because we're gonna do some comparisons. So we go ahead and
03:24
turned.
03:25
I'm gonna leave the proxy off. I'm going to crank up
03:30
thesis acuity level
03:32
to security level one.
03:36
I just want to see if there's any difference here in how the file is being handled. So
03:43
school head in, turn on my interceptor.
03:46
If you file
03:50
it looks exactly the same. I'm gonna go ahead and send over to the repeater just to make sure.
03:57
Okay, I'm gonna send this over to the compare.
04:01
So now if we compare the two,
04:09
what we can see is that there's an additional parameter that is added for security level one,
04:16
and that is this Pop up notification s l one.
04:23
But otherwise everything looks identical. So that means that it would be susceptible to the same attack again.
04:30
Okay, great. Well, I could do that.
04:33
I've already got this handy
04:39
going to substitute this text file
04:45
forward that turn off my interceptor
04:47
and I can see the boot I and I filed again. Okay,
04:51
Now let's go up to full security.
04:57
So this is gonna be security level five. We're gonna take a look
05:00
at what is different in this particular request.
05:04
So let's once again
05:10
turn on our interceptor
05:13
click view file,
05:15
huh? Something definitely looks and different. Looks like there's a one
05:21
being used for text file. Instead,
05:25
send that to my repeater.
05:32
I'm gonna go ahead and send that to the compare Er,
05:39
okay. And so now if I and I'm clicking this compare words.
05:46
Hey, so
05:47
if I compare
05:50
what was at zero
05:53
security level zero with security level five,
05:57
I can definitely see a difference. Obviously, we've got that pop up notification that were on security level five
06:04
different content length.
06:06
Not really worried about that,
06:10
but this is this is what I'm most interested in. So here we can see
06:15
that in security level zero, the text file is referenced directly. However, in security level five,
06:24
a token ization or a token or a reference has replaced the exact name of the file.
06:31
And so that reference
06:34
is then later mapped to the appropriate text file to be displayed, which is obviously much more secure because
06:43
this one, in and of itself doesn't really have a lot of meaning to me, and I can try to go ahead and manipulate it, but it's probably not going to work, but let's try it just to be sure. So I go back to my decoder
07:00
and I replaced this one
07:04
with the reference of my boot. I and I file I forward that I turned off my interceptor
07:11
and I get in error.
07:15
Okay, so this shows that organization
07:19
can work to help mitigate this particular security risk.
Up Next
Part 4 IDO urls tokens Demo
Part 5 Defenses
Part 6 Lab Solutions
Part 1 Intro
Part 2 Explanations
Instructed By
Similar Content
