Hello and welcome to the cyber very secure coding course.
My name is Sonny Wear, and this is a WASP Top 10 for 2013. A 10 unveil a dated redirects and forwards demo Unveil UNDATED You Earl's.
This is the demo for a tenon validated redirected forwards.
We're actually going to look at it in terms of you Earl's on a Web page.
If you go into Mattila Day in the O. R. Post 2013 unveil undated Redirection forward section and you go to the credits page,
you will land on this page now. This particular page was also used in regards to token ization and addressing insecure direct object reference. But I want to actually look at it from a different point of view.
Now I'm going to toggle the security to be level zero,
and I'm going to turn on my interceptor and burb sweet
and let's go ahead and click this link,
and what we can see is there is a parameter here
that is being passed into the PHP script, and it's called forward you Earl
And this was really where the problem was
in the other demo, and we could very easily change this to whatever we like. We could change it to our to our hacker's website, for example,
right, Or we could we could change it to actually view a restricted file on the system.
And then we forward that
and we can see that it goes to that page.
Now if I go back and
I crank up thesis a cure ity.
So now I'm at security level five
if we take a look at the code,
What I wanted to point out is
so here we're actually in the file that gets executed, which is redirecting log. And if we look at a case five where our security level is five, we can see that we're still getting that parameter forward. U R l
there's now this rejects pattern matching
where he is looking for
a small integer right, so he's looking for a digit,
and it's a valid positive number
between zero and nine, says the rejects pattern. Make sure the user doesn't send in characters that are not actually digits
but can be cast two digits.
one of the things I wanted to point out, and of course, the token ized numbers, then course fond to the Urals, right? So as we go through this switch statement, you concede case for each digit.
But one of the things I wanted to bring out is that for
any kind of location or redirection,
you want to secure and locked down what can actually actually be placed
And there's also other ways that you can ensure that even if you had
uh, say a reflected cross site scripting vulnerability that would lead to the actual poisoning of your page,
you could still ensure that any location redirects
are basically contained within your own domain. And so there's a code that we're going to take a look at
in the defense's section that can do that.
So, just out of curiosity, I'm going to attempt
turned on my birth sweet
and kept for the request.
You can see that now it's a digit, right? So if I try,
If I try to place the exploit in there now,
a nice air message so we can see that the validation is occurring properly.