When a parallel unauthorized
attacker requests to operate (add, delete, check, modify) a piece of data, the web application does not determine the owner of the data, or directly obtains it from the form parameters submitted by the user when determining the owner of the data (such as user ID), so that the attacker can modify the parameters (user ID) by himself, and operate data that does not belong to him, as shown in the figure.
Users of a university's educational administration system can view personal information of other users
beyond their authority. Through the test, it was found that the student ID number has rules to follow, and the last 4 digits of the student ID number are consecutive numbers. After logging in to the system, ordinary users can view sensitive information such as student status information and course grades of other students beyond their authority
. Step 1: Take "Gao XX" as an example with the student number 12xxxx0031, log in to the educational administration system, and check the student status token of this account. The link to check the student status information is http://host/search.do?m=xsx&xh=12Sxxx0031, as shown in the figure Place
Step 2: Access the student status information of the student whose student number is 12Sxxx0032, the link is http://host/search.do?
m=xsx&xh=12Sxxx0032, as shown in the figure.
Step 3: Access the student status information of the student whose student number is 12Sxxx0033, the link is http: //host/sear