What kind of logic vulnerability?
Vulnerability refers to the logic design flaws exploited by attackers business, access to sensitive information or destroy the integrity of the business.
Generally appear in the password changes, unauthorized access, password recovery, function of the transaction payment amount.
Ultra vires vulnerabilities:
Literally probably will be able to understand what vulnerabilities are ultra vires, simply put, it is to attack the use of flaws occur when examining the authorization, a higher authority by bypassing some of the means to perform access, modify, and delete other users and even more high data permissions.
classification
Ultra vires divided into horizontal and vertical ultra vires ultra vires: for example, you're a student, is ultra vires the level of your classmates to get permission to operate, vertical ultra vires counselor is to get permission to operate;
Detect
Unauthorized use tools to detect vulnerabilities generally difficult to come out, we need to manually judge;
attack and defense:
the need examples to understand, here to share a few articles
search freebuf Web security testing vulnerabilities resolve common logic (actual combat piece)
introduced the attack and defense of ideas, which were from
modifying the amount of orders;
verification code return;
no log-in credentials verification;
interfaces unlimited enumeration;
flawed cookie design;
retrieve a design flaw password;
simply read data as a memory value user credentials;
seven instances can enhance understanding.
About flaw in the logic of ultra vires loophole article recommended:
https://www.ddosi.com/p1077/
https://www.bugbank.cn/q/article/598564c1a37d0e403a8b1954.html
I have done a few more similar on webgoat topic ultra vires vulnerabilities, summarize here, though simple, but also help to understand:
1.Using an Access Control Matrix (access control matrix)
In role-based access control scheme, the role represents a set of access rights and permissions. User may be assigned one or more roles. Role-based access control scheme is usually assigned by the management role permissions and roles of two parts. Role-based access control scheme may allow the user to perform his role access / her assignment is not allowed, or in some way to allow unauthorized roles elevated privileges.
General objectives:
Each user is allowed to access the resources of members of certain roles. Your goal is to explore the management of access control rules for this site. Only [Admin] groups can access the "Account Manager" resources.
As shown, this title super silent, just try it out, but sometimes is the way to continue to try;
2.Bypass a Path Based Access Control Scheme (a bypass path access control scheme)
我是谷歌翻译搞懂要求的,“ root”用户有权访问lesson_plans / English目录中的所有文件。 尝试破坏访问控制机制,并访问不在所列目录中的资源。 选择要查看的文件后,WebGoat将报告是否已授予对该文件的访问权限。 尝试获取的有趣文件可能是tomcat / conf / tomcat-users.xml之类的文件。 请记住,如果使用WebGoat源,文件路径将有所不同。
其实就是抓包修改file参数内容,更改文件路径,不管是上几级目录我都试了还是报错,后来网上搜了一下说这题很坑,我也就没继续了,反正思路就是这样;
LAB: Role Based Access Control(基于角色的访问控制)
Stage 1: Bypass Business Layer Access Control(阶段1:绕过业务层访问控制)
Stage 2: Add Business Layer Access Control.(阶段2:添加业务层访问控制。)
Stage 3: Breaking Data LayerAccess Control(阶段3:打破数据层访问控制)
Stage 4: Add Data Layer Access Control.(阶段4:添加数据层访问控制。)
第二步和第四步是防御方法,要开发者版本才能做,这里只做第一步和第三步:
登入tom的个人资料界面发现没有题目要求中的删除功能,点查看文件viewprofile进行抓包修改参数
成功了,这里也有助于我们理解水平越权,这里修复方法是通过添加业务层访问控制,个人觉得也可以添加身份认证判断用户身份;
继续第三步:
Here we see the required information by tom other employees, the same level can be considered ultra vires;
since it is natural to view the data and then capture or viewprofile:
We found a id parameter, that parameter is 105 tom, how to get id of other employees it, where you can log in directly to see if an attacker could use social engineering to get the number of employees in order to get information, here's Larry id is 101, we change the parameters like direct forward:
At this point completion of the course, about the subsequent encounter topic logical vulnerabilities and privilege vulnerabilities will come back to add.
