1
00:00:01,020 --> 00:00:06,730
OK, broken access control, what type of vulnerability is this?

2
00:00:07,590 --> 00:00:13,650
Well, before we define it, let's first see what access control itself is.

3
00:00:15,020 --> 00:00:23,510
Access control is how Web application grants access to content and functions to some users notice that

4
00:00:23,510 --> 00:00:26,720
is said to some users, so not all of them.

5
00:00:27,500 --> 00:00:34,780
Access control is part of the application that decides who gets to see which content and who doesn't,

6
00:00:35,690 --> 00:00:40,630
sometimes x control can be strictly tied to authorization and session.

7
00:00:41,180 --> 00:00:47,480
And in some cases, it might even be the exact same vulnerability as broken authentication, which we

8
00:00:47,480 --> 00:00:48,290
already covered.

9
00:00:48,650 --> 00:00:50,720
However, there is more to it than that.

10
00:00:51,350 --> 00:00:57,290
Once we covered broken authentication, we mostly focused on breaking the session and the indication

11
00:00:57,320 --> 00:00:59,660
of the user broken access.

12
00:00:59,660 --> 00:01:06,380
Control, on the other hand, can also target not only sessions but for example, different files or

13
00:01:06,380 --> 00:01:08,120
directories on the webpage.

14
00:01:09,220 --> 00:01:14,740
Perhaps some users have access to certain files that are on the Web page and the others don't.

15
00:01:15,660 --> 00:01:21,420
If the access control is not performed properly, we could also get access to those files.

16
00:01:22,140 --> 00:01:24,000
Same goes with directories.

17
00:01:24,300 --> 00:01:31,350
Perhaps there are some directories that are only meant for admin to use and visit, but they have no

18
00:01:31,350 --> 00:01:36,540
access control and can easily be visited by adding the directory name to the link.

19
00:01:37,320 --> 00:01:42,040
This is also broken access control, vulnerability besides different files.

20
00:01:42,060 --> 00:01:45,460
It might also allow us to see other user information.

21
00:01:46,020 --> 00:01:50,220
Now all of this is once again due to developers mistake.

22
00:01:51,140 --> 00:01:57,380
If the access control is not implemented properly, then you might have the broken access vulnerability

23
00:01:57,860 --> 00:02:00,590
and it could look something like this.

24
00:02:01,590 --> 00:02:09,150
Let's say we have a random site that has a function to choose a file and perhaps download it on your

25
00:02:09,150 --> 00:02:09,560
machine.

26
00:02:10,590 --> 00:02:18,150
Choosing a file should have its own access control, we can assume that this random file is stored somewhere

27
00:02:18,180 --> 00:02:23,590
on the server, but so are all the other files that we don't have an option to download.

28
00:02:24,120 --> 00:02:30,600
So have they implemented a good and valid filter that will only allow us to download the files that

29
00:02:30,600 --> 00:02:31,170
they offer?

30
00:02:31,890 --> 00:02:36,390
Well, if we can find out if it tried something like this.

31
00:02:37,500 --> 00:02:40,550
What if we type instead of friend of father?

32
00:02:41,790 --> 00:02:44,400
We tiepin slash, azzi slash.

33
00:02:46,200 --> 00:02:53,970
If we get the output of dependability file or if it downloads it to our page, we have an example of

34
00:02:53,970 --> 00:02:55,160
broken access control.

35
00:02:55,590 --> 00:02:59,100
We downloaded something that we should not have been able to.

36
00:02:59,990 --> 00:03:07,070
This type of vulnerability can also be called either or, in other words, insecure, direct object

37
00:03:07,070 --> 00:03:07,640
reference.

38
00:03:08,300 --> 00:03:15,650
This vulnerability occurs when an application uses user supplied input to access objects directly,

39
00:03:16,250 --> 00:03:20,050
and we will see more examples about it in the practical lessons.

40
00:03:20,720 --> 00:03:23,930
So let's first of all, start with our try Haxby platform.

41
00:03:25,070 --> 00:03:32,060
OK, here we are on our platform and we have broken access control challenge, which is task number

42
00:03:32,060 --> 00:03:33,470
18 now.

43
00:03:33,950 --> 00:03:40,220
As usual, I advise you to read to all of the broken access control tasks, which in this case is task

44
00:03:40,220 --> 00:03:43,270
number 17 and task number 18.

45
00:03:44,030 --> 00:03:45,800
I have already started the machine.

46
00:03:45,980 --> 00:03:47,900
Here is the IP address to the machine.

47
00:03:48,320 --> 00:03:51,560
And now we need to perform these challenges right here.

48
00:03:52,370 --> 00:03:59,210
So let's first of all, navigate to this page by copying IP address and pasting it right here.

49
00:04:01,090 --> 00:04:08,080
So not viewer, what user are you and we have the field to login with username and password.

50
00:04:08,710 --> 00:04:14,050
Let's check whether they supplied us with some information as to how to log in to this page.

51
00:04:14,500 --> 00:04:15,490
And here it is.

52
00:04:15,730 --> 00:04:18,790
The user name is not and the password is test.

53
00:04:18,790 --> 00:04:19,690
One, two, three, four.

54
00:04:20,660 --> 00:04:22,010
Let's pipe that in.

55
00:04:26,520 --> 00:04:28,020
And let's submit this.

56
00:04:29,700 --> 00:04:36,750
And it gives us a rather simple page that only type S I am not with the exclamation mark.

57
00:04:38,070 --> 00:04:46,110
But if we take a look at the link, we have this parameter right here that says not equals one, and

58
00:04:46,110 --> 00:04:48,770
this is the parameter that we can try to tamper with.

59
00:04:49,260 --> 00:04:56,160
We can conclude that this parameter could have something to do with the user ID, for example.

60
00:04:56,640 --> 00:05:02,370
Maybe this parameter that equals to one is strictly made for our note account.

61
00:05:03,180 --> 00:05:05,610
So what would happen if we change it to two?

62
00:05:07,470 --> 00:05:12,270
Well, we don't get anything what would happen if we change it to three, for example?

63
00:05:13,340 --> 00:05:15,060
We still don't get anything.

64
00:05:15,770 --> 00:05:18,120
Let's try changing it to zero.

65
00:05:18,890 --> 00:05:21,710
Press enter and here's the flack.

66
00:05:22,160 --> 00:05:29,120
We got the flag from a different account, which means that we have an example of broken access control

67
00:05:29,120 --> 00:05:31,100
vulnerability on this virtual machine.

68
00:05:31,970 --> 00:05:33,170
This was rather easy.

69
00:05:33,230 --> 00:05:36,530
All we had to do is change this parameter right here.

70
00:05:36,920 --> 00:05:41,230
But it's all possible due to them not filtering our input correctly.

71
00:05:41,480 --> 00:05:46,820
They don't have any control over this parameter as to what the user can do with it.

72
00:05:47,930 --> 00:05:55,880
In real Web applications, this input right here should be very well filtered that if you try to change

73
00:05:55,880 --> 00:06:00,610
the session or try to change the user I.D., it just goes back to your own account.

74
00:06:00,650 --> 00:06:03,530
It doesn't let you see the information from different users.

75
00:06:03,860 --> 00:06:08,870
And in our case, this is our flag that we need to specify as the answer.

76
00:06:09,890 --> 00:06:15,860
Look at the other users note and let's page the flag submitted and it's the correct answer.

77
00:06:16,700 --> 00:06:18,980
OK, so this was rather easy.

78
00:06:19,160 --> 00:06:26,330
Now let's look at some a little bit more difficult examples on our always be a virtual machine see on

79
00:06:26,330 --> 00:06:26,990
the next lecture.