Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson offers a demonstration in missing level access control, specifically focusing on a Role Based Restricted URL. This looks at the information placed around someone's role and the information that can be accessed as a result.

Video Transcription

00:04
Hello and welcome to the side. Very secure coding course. My name is Sonny. Where? And this is Boa's top 10 for 2013. A seven missing function level access controlled demo. Role based, restricted You are. Well,
00:22
this is the demo for a seven missing function level access control, and we're actually going to take a look at
00:30
the access control that's been placed around somebody's role
00:35
and the information that they can access.
00:38
So I'm starting here on the home page for Mattila Day. If you remember from a previous exercise, we were actually able to get to a PHP information page that provided a lot of details about
00:54
the version of PHP that's running the compiler, etcetera. A lot of information that
01:00
really should only be privy by administrators. And so we're going to actually go to that page, and I want you to note that this is that security level zero,
01:14
which is basically no security at all on. And so I'm gonna go ahead and go to that page
01:23
and notice that I'm not logged in or anything. And yet I am able to see ah, lot of information
01:33
configurations, information that really I should only be able to see as an administrator.
01:41
Now, I'm gonna go ahead and bump up the security too.
01:46
I'm actually going to move it from one all the way up to five.
01:53
So now, as I moved back up to security level five
01:59
and I tried access that page, I actually am denied access.
02:04
And I get this message that states secure sites do not expose administrative or configuration pages to the Internet. So this is good. It means the programmer has actually added in some protection in what information gets displayed. Now, if we take a look at the code,
02:23
what we can see here is this is the actual switch statement where we fall to the different cases according to the security level number.
02:35
So you can see that
02:37
security level zero and one, nothing is being done.
02:42
But once we fall to case five or security level five,
02:47
then we actually have this check being done
02:52
to ensure that we are an administrator.
02:55
So if is admin is equal to true.
03:00
Then it's going to show that PHP info page. Otherwise it's going to display
03:07
the message that we just saw.
03:10
So this is a good lesson, a real simple lesson on
03:15
how we need to ensure that particular functions have access control wrapped around them, and that usually comes in the form of checking rolls or individual accounts.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor