Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lab-based lesson, participants take part in a lab about Role Based Access Control (RBAC) using Web Goat to access a profile to access a button to change it and actually delete it using the Burp Suite interceptor.

Video Transcription

00:04
Hello and welcome to the side. Very secure coding course. My name is Sonny. Where? And this is AWAS. Top 10 for 2013 a seven missing function level access control lab from Web goat. In its role based access control,
00:24
this is the lab for role based access control using Web goat.
00:30
We're gonna take a look at stage one here. It states as a regular employee. Tom,
00:38
what we're going to do is exploit the weak access control to use the delete function from a particular page.
00:49
We won't verify that Tom's profile can be deleted.
00:53
Now, it tells us that the past words for each employee are just their first name in lower case. So that means we can come to the long in
01:06
and log in his time.
01:11
And when we see his profile,
01:14
basically, what we can do is intercept
01:18
the clicking of one of these buttons and see if we can change instead of the viewing of the of the profile. Change it to be the actual deletion of his profile.
01:30
So we'll go ahead and start up, perp sweet
01:36
and turn the interceptor on.
01:47
Okay? And so I'm looking at an employee. I D of 105 and an action of you profile.
01:57
So just out of curiosity,
01:59
I could try to just change the word view
02:06
to instead be delete and just see if that works.
02:12
And apparently that solved the problem.
02:16
Now, the next stage of the lab asked you to actually put in some authorization checks into the code.
02:25
Now, the developer version of Web goat is
02:30
probably not being provided here. So I'm going to just reference the code that would be placed in there,
02:38
and I have that available
02:42
right here.
02:45
And so this could be a possible way that you can
02:50
be sure that a user is authorized to do a particular action and in this case would have been deleting a profile.
03:00
So here's the code snippet. So in the design of every application, you're always going to have a role based access control matrix that identifies the roles in that application
03:13
and the authorized actions.
03:16
So if
03:20
if a user I d request a particular action and they're not authorized to do so, you're gonna throw an exception,
03:28
and then likewise, you're gonna check to ensure that a particular action may be authorized against a certain employees,
03:38
and if it's not, then you're going to throw an unauthorized exception.
03:43
So that takes care of Stage two.
03:47
So now when we come to Stage three,
03:53
we here are going to bypass the data layer, Access Control says as a regular employee, Tom exploit the weak access control to view another employees profile. Verify the axis the access.
04:09
So once again, we are going to log in as Tom.
04:18
And if I wanted to view another employees profile,
04:26
I could certainly turn on my birth. Sweet.
04:30
Go ahead and intercept
04:32
the request.
04:41
And one of the things that you'll notice is that the employee numbers are in sequential order.
04:48
And so if I changed 105
04:55
to be 106 and then forwarded that,
05:00
then I could very easily see a completely different employees number and information. So Jerry Mouse and this is all of Jerry's information.
05:13
And so that complete Stage three is well, Stage four is the same as stage to you're just going to add,
05:20
um, some code in for an authorisation check at your data layer

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor