Skip main navigation

Exploitation

In this video, you will learn how to use a customer feedback feature to establish if there are weaknesses in a system’s access control.
7.9
Welcome back to Broken Access Control session. In this second part, we will exploit different authorization issues in our intentionally vulnerable application. We will jump straight to the hands-on exploitation, and then move on to the mitigation part. We want to exploit authorization issues to access other users data or execute actions on their behalf. We should look for some feature allowing users to submit data to the system and maybe retrieve it back. Since we don’t have an account yet, let’s see what anonymous users can do.
46.7
Customer feedback seems to be available to anonymous users, allowing them to submit some comment in writing. Let’s pop up developer tools to be able to inspect network traffic and then submit some feedback.
82.7
We have here a POST request to feedback’s API endpoint, and we got a successful HTTP response. That’s good, let’s see the details.
94.1
Our comment and rating were sent as part of the request.
101.1
As a response, we got another JSON object which includes our submitted data and several other metadata.
118.3
Since it was anonymous feedback, it makes sense user ID to be “no”. From what we got as a response, it sounds like submitted feedback is given a unique identifier. Having such identifier is useful when you want to perform actions upon a specific record. We can take advantage of REST API’s predictive nature and issue what could be a request to retrieve our feedback object back from the API.
147.8
Instead of a POST request, we should issue a GET request and append record identifier to the path.
157.8
We got the 401 HTTP status code, meaning that there was a error processing our request. Based on the error message, it looks like we need to be authenticated to perform such action. Let’s create an account and log in.
176.5
Let’s now provide some feedback, but this time, authenticated as a regular user.
206.9
We can see the initial request to send our feedback to the server.
219.7
Like before, we have our comment in writing as part of the request body, but this time, we also have our user ID.
228.5
The response is similar to what we had before, but again, it also includes our user ID. Note that this feedback received ID number 9, making feedback identifiers sound sequential. Let’s try to retrieve this feedback record back from a server.
249.5
Again, instead of a POST request, we should issue a GET and append the feedback ID to the path.
259.1
This time, we’ve got a 200 status code. Let’s inspect the response.
267.4
We’ve got our feedback back from the server. What about our anonymous feedback? Since we know its ID, let’s see if we can access it.
287.4
A success HTTP status code as before, and in fact, we were able to retrieve the feedback from the server. Strange. Since the feedback identifiers are sequential, we can keep going and see what else we can get.
316.1
Another anonymous feedback. Let’s try another one.
329.9
Okay, another anonymous feedback. Until now, we were able to retrieve our one feedback and a few other anonymous records. Definitely, there is something wrong with the access control. Let’s keep going.
382.1
All right, finally some non-anonymous feedback. Now, we are sure that access control is definitely broken. If we can retrieve other users’ feedback, maybe we can also delete it.
401
Instead of a GET request, this time, we will issue a DELETE.
415.8
Apparently, the record was successfully deleted. Trying to retrieve it back from the server should fail, and it did. Not only were we able to retrieve other users’ feedback, but we were also able to delete it, actions that should be available to Juice Shop admins only. Definitely, the access control is broken. You’ll certainly find other issues. Next, we will discuss what makes the application vulnerable and how to prevent it.

You will now learn how to use a customer feedback feature to establish if there are weaknesses in a system’s access control.

We have already used the customer feedback feature for OWASP Juice Shop before to learn more about the system; in this video, you will use this feature again. This video will demonstrate how to use this feature to establish if there are weaknesses in the system’s access control settings. You will then exploit these weaknesses and will be able to assign yourself admin rights. These rights will give you access to system controls that are reserved for admin level users.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education