Part 3 Unvalidated URLs Demo
Video Activity
This lesson offers a demonstration of re-directs and forwards in un-validated URLs. By toggling the security level to be at zero and turning on the interceptor in Burp Suite, users can see a parameter called Forward URL that is being passed into PHP script. This can be changed into anything a coder desires and can lead unsuspecting users to a hosti...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson offers a demonstration of re-directs and forwards in un-validated URLs. By toggling the security level to be at zero and turning on the interceptor in Burp Suite, users can see a parameter called Forward URL that is being passed into PHP script. This can be changed into anything a coder desires and can lead unsuspecting users to a hostile web site.
Video Transcription
00:03
Hello and welcome to the cyber very secure coding course.
00:08
My name is Sonny Wear, and this is a WASP Top 10 for 2013. A 10 unveil a dated redirects and forwards demo Unveil UNDATED You Earl's.
00:20
This is the demo for a tenon validated redirected forwards.
00:25
We're actually going to look at it in terms of you Earl's on a Web page.
00:31
If you go into Mattila Day in the O. R. Post 2013 unveil undated Redirection forward section and you go to the credits page,
00:42
you will land on this page now. This particular page was also used in regards to token ization and addressing insecure direct object reference. But I want to actually look at it from a different point of view.
00:59
Now I'm going to toggle the security to be level zero,
01:07
and I'm going to turn on my interceptor and burb sweet
01:15
and let's go ahead and click this link,
01:21
and what we can see is there is a parameter here
01:26
that is being passed into the PHP script, and it's called forward you Earl
01:34
And this was really where the problem was
01:38
in the other demo, and we could very easily change this to whatever we like. We could change it to our to our hacker's website, for example,
01:52
right, Or we could we could change it to actually view a restricted file on the system.
02:07
And then we forward that
02:13
and we can see that it goes to that page.
02:15
Now if I go back and
02:20
I crank up thesis a cure ity.
02:28
So now I'm at security level five
02:30
if we take a look at the code,
02:35
What I wanted to point out is
02:38
so here we're actually in the file that gets executed, which is redirecting log. And if we look at a case five where our security level is five, we can see that we're still getting that parameter forward. U R l
02:55
However,
02:58
there's now this rejects pattern matching
03:02
where he is looking for
03:06
a small integer right, so he's looking for a digit,
03:10
and it's a valid positive number
03:14
between zero and nine, says the rejects pattern. Make sure the user doesn't send in characters that are not actually digits
03:23
but can be cast two digits.
03:25
So
03:28
one of the things I wanted to point out, and of course, the token ized numbers, then course fond to the Urals, right? So as we go through this switch statement, you concede case for each digit.
03:43
But one of the things I wanted to bring out is that for
03:47
any kind of location or redirection,
03:53
you want to secure and locked down what can actually actually be placed
03:59
into that field.
04:00
And there's also other ways that you can ensure that even if you had
04:06
a vulnerability,
04:10
uh, say a reflected cross site scripting vulnerability that would lead to the actual poisoning of your page,
04:17
you could still ensure that any location redirects
04:24
are basically contained within your own domain. And so there's a code that we're going to take a look at
04:32
in the defense's section that can do that.
04:35
So, just out of curiosity, I'm going to attempt
04:40
this exploit again,
04:42
turned on my birth sweet
04:46
and kept for the request.
04:51
You can see that now it's a digit, right? So if I try,
04:57
I try to place.
05:08
If I try to place the exploit in there now,
05:13
I actually get
05:15
a nice air message so we can see that the validation is occurring properly.
Up Next
Instructed By
Similar Content
