1
00:00:07,950 --> 00:00:13,290
OK, so in the last lecture, we talked about Ximo external energy injection and this lecture, we're

2
00:00:13,290 --> 00:00:21,240
going to talk about broken access control, a specifically insecure direct object, references also

3
00:00:21,240 --> 00:00:22,140
known as Aidala.

4
00:00:22,540 --> 00:00:29,070
Now, before we get into it, I just want to show you guys how prevalent this bug is and what potential

5
00:00:29,070 --> 00:00:29,950
payouts can be.

6
00:00:30,240 --> 00:00:32,820
You'll see five figure payouts in some cases.

7
00:00:33,240 --> 00:00:33,780
Look at this one.

8
00:00:34,560 --> 00:00:35,880
New emails from any inbox.

9
00:00:37,230 --> 00:00:44,040
Ten thousand call out either to add secondary users.

10
00:00:44,730 --> 00:00:50,050
And this paper outside you click that you're taking here, you can see this bug.

11
00:00:50,100 --> 00:00:55,650
This researcher, this researcher born to hack, was awarded ten thousand five hundred dollars.

12
00:00:56,310 --> 00:00:58,520
And the bug description is right here.

13
00:00:58,980 --> 00:01:02,640
And essentially what happened is business account users.

14
00:01:04,000 --> 00:01:08,950
We're able to assign secondary users from other accounts.

15
00:01:10,060 --> 00:01:16,270
And then once that happened, the secondary user was able to get unauthorized access to functions that

16
00:01:16,270 --> 00:01:17,470
it shouldn't have had access to.

17
00:01:18,640 --> 00:01:21,410
So now the details of this bug aren't disclosed here.

18
00:01:21,430 --> 00:01:23,080
Obviously, this is a high security bug.

19
00:01:23,380 --> 00:01:25,780
But but you'll see stuff like this all the time.

20
00:01:26,260 --> 00:01:30,280
And so let me just break down my door just so you can understand what it is.

21
00:01:30,290 --> 00:01:33,190
So we're talking about an insecure, direct object reference.

22
00:01:33,880 --> 00:01:36,370
And, you know, the impact obviously can be huge.

23
00:01:36,680 --> 00:01:41,920
The basic nature of the vulnerability is it's a broken access control because, you know, we're able

24
00:01:41,920 --> 00:01:46,060
to access someone else's account or we're able to do something we shouldn't be able to do in someone

25
00:01:46,060 --> 00:01:46,760
else's account.

26
00:01:47,320 --> 00:01:53,350
And one of the ways to test for this is to, you know, increment a numeric value to try to access a

27
00:01:53,350 --> 00:01:58,180
resource directly so we can try to guess the identifier through an enumeration attack.

28
00:01:58,480 --> 00:02:04,300
And this is actually know surprisingly difficult for Web application to to fix or for developers to

29
00:02:04,300 --> 00:02:05,650
fix or to anticipate.

30
00:02:06,520 --> 00:02:09,650
You know, Web developers need to ensure that the session is properly managed.

31
00:02:09,650 --> 00:02:14,920
They need to make sure that, you know, access control checks at the object level gets very granular

32
00:02:14,920 --> 00:02:17,170
if you really want to take these bugs to the death.

33
00:02:17,440 --> 00:02:18,400
That's the way to do it.

34
00:02:19,000 --> 00:02:24,070
And ideally, developers should be performing static application, security testing and doing line of

35
00:02:24,070 --> 00:02:26,400
code analysis before the product is pushed to production.

36
00:02:26,560 --> 00:02:26,950
Why?

37
00:02:26,950 --> 00:02:31,480
Because it's more expensive to address phones after they've been already pushed to production.

38
00:02:31,930 --> 00:02:35,300
So let's jump into this class of bugs here.

39
00:02:35,320 --> 00:02:36,970
So what we're going to do is we're going to create an account.

40
00:02:37,030 --> 00:02:39,550
We're going to see if we can access something from someone else's account.

41
00:02:39,880 --> 00:02:40,160
Right.

42
00:02:40,540 --> 00:02:44,550
So if I go to not get a customer, I can create an account.

43
00:02:44,560 --> 00:02:48,400
Real quick, let's see.

44
00:02:51,910 --> 00:02:52,840
Security question.

45
00:02:53,150 --> 00:02:53,970
Mother's maiden name.

46
00:02:53,980 --> 00:02:57,820
Yeah, my mother's name is Default Register.

47
00:02:58,830 --> 00:03:01,830
All right, so I registered should be able to log in.

48
00:03:06,780 --> 00:03:07,170
Sweet.

49
00:03:07,320 --> 00:03:13,530
So I'm in and we have berp ready to go into Stepaside first, but I want to do is just kind of observe

50
00:03:13,530 --> 00:03:16,400
the general behavior of this page.

51
00:03:16,410 --> 00:03:17,490
So let's take Interceptor off.

52
00:03:20,770 --> 00:03:23,160
And filter all the traffic through berp.

53
00:03:23,500 --> 00:03:25,660
So if I look at my basket, there's nothing here, right?

54
00:03:26,810 --> 00:03:29,000
Let's just add apple juice.

55
00:03:29,890 --> 00:03:31,190
You can see apple juice was added.

56
00:03:32,690 --> 00:03:35,750
Apple promised, I don't know what that is and banana is.

57
00:03:36,890 --> 00:03:37,790
And I do the.

58
00:03:38,960 --> 00:03:41,030
The only one left with this thing, so let's get this best use.

59
00:03:42,300 --> 00:03:43,500
All right, so we look at our basket.

60
00:03:45,130 --> 00:03:50,650
We've got four items now, if we go back to berp, we go to the history, you can see what we did.

61
00:03:51,580 --> 00:03:54,190
And if you look at this, you'll notice it says Reste Baskette six.

62
00:03:54,460 --> 00:03:54,780
Right.

63
00:03:56,020 --> 00:04:01,630
So it looks like we're making a get request to this end point and this number as an identifier of some

64
00:04:01,630 --> 00:04:06,850
kind, possibly identifying us, because if you look at the response, you can see.

65
00:04:08,800 --> 00:04:10,900
The items we added to our basket, right?

66
00:04:11,790 --> 00:04:18,600
Apple juice, banana juice, apple pomace and the best use, right, so obviously as a researcher,

67
00:04:18,750 --> 00:04:21,540
the first thing you should try to do is test for it.

68
00:04:21,540 --> 00:04:26,670
Or when you see a number like this that you can increment, it may not always be in the target request.

69
00:04:26,680 --> 00:04:27,450
It might be in a cookie.

70
00:04:27,450 --> 00:04:29,120
It might be in another header field.

71
00:04:29,160 --> 00:04:32,550
But we want to play with this to see if we can access something else that we shouldn't have access to.

72
00:04:32,970 --> 00:04:37,350
So I'm going to do a controller control shift are to go to a repeater and control space just to rescind

73
00:04:37,350 --> 00:04:37,860
the request.

74
00:04:38,070 --> 00:04:39,140
And I got the same results.

75
00:04:39,780 --> 00:04:46,620
So if we change this to like a one which typically associated with an admin account, the first record

76
00:04:46,890 --> 00:04:47,790
is usually admin.

77
00:04:48,090 --> 00:04:51,490
And you can look at our sequel injection talk to get more details about that.

78
00:04:52,050 --> 00:04:54,840
If I press control space, look at that.

79
00:04:55,350 --> 00:04:56,340
I got something different.

80
00:04:57,820 --> 00:04:59,890
A fruit juice, orange juice.

81
00:05:02,760 --> 00:05:03,230
Apple juice.

82
00:05:03,330 --> 00:05:05,740
It's like I'm looking at somebody else's record, right?

83
00:05:05,760 --> 00:05:06,560
So we need to test this.

84
00:05:06,570 --> 00:05:08,000
We need to see if that's actually what's happening.

85
00:05:08,550 --> 00:05:10,350
So we're going to go to proxy.

86
00:05:12,510 --> 00:05:14,940
Int. Look back over to the webapp.

87
00:05:16,150 --> 00:05:17,650
And let's go back here.

88
00:05:20,580 --> 00:05:22,590
All right, so we know what our basket looks like, right?

89
00:05:24,210 --> 00:05:28,320
Right, apple juice, banana juice, apple pie and the best juice.

90
00:05:30,380 --> 00:05:32,120
But we're going to do is we're going to flip back over.

91
00:05:34,290 --> 00:05:34,770
Tiberg.

92
00:05:35,950 --> 00:05:39,070
Intercept is on and try to add something to our basket.

93
00:05:40,330 --> 00:05:48,760
All right, changes to a one forward forward and you can see when I flip over, I'm now looking at someone

94
00:05:48,760 --> 00:05:50,340
else's basket, right?

95
00:05:50,620 --> 00:05:52,990
So the webapp still thinks I have six items in my basket.

96
00:05:53,230 --> 00:05:55,230
But clearly, this is not my basket.

97
00:05:55,720 --> 00:05:56,650
We didn't have these things.

98
00:05:57,010 --> 00:05:57,930
So there you have it.

99
00:05:57,940 --> 00:06:00,700
And this would be a critical finding, right?

100
00:06:00,700 --> 00:06:05,740
Because I'm able to gain access to someone else's shopping basket.

101
00:06:06,370 --> 00:06:11,680
You know, is it possible then that I can check out as that person, maybe I can include items into

102
00:06:11,680 --> 00:06:13,540
their basket that they didn't initially put there?

103
00:06:14,380 --> 00:06:14,740
Right.

104
00:06:14,920 --> 00:06:20,710
Or maybe I can access other information from users based on this insecure direct object reference vulnerability.

105
00:06:21,250 --> 00:06:23,100
Because where there is one, there's probably more.

106
00:06:23,260 --> 00:06:23,650
Right.

107
00:06:24,370 --> 00:06:29,830
So that would require more careful analysis, you know, going through the HTP history, looking at

108
00:06:29,830 --> 00:06:36,070
these requests and trying to see if there's other ways, other things you can do by looking at some

109
00:06:36,070 --> 00:06:38,220
of these fields, these other fields.

110
00:06:38,230 --> 00:06:42,780
You can actually see them over here and look at the request and you can see the letters that were sent.

111
00:06:44,980 --> 00:06:45,260
Right.

112
00:06:45,740 --> 00:06:51,760
That's all we have in this lecture in the next one, we're going to take you to Chicago's configurations.

113
00:06:52,330 --> 00:06:54,820
So I'll see you guys in the next lecture by.