Scribd
Upload
58 views22 pages

IAW301 SE161501 Lab6

The document describes several labs demonstrating access control vulnerabilities and privilege escalation issues: 1) Unprotected admin functionality accessible at /robots.txt or other URLs. 2) Admin panel URL disclosed in JavaScript, allowing access without authorization. 3) User role controlled by request parameter 'Admin', which can be changed to access admin functionality. 4) User profile allows modifying user role via request, escalating privileges. 5) URL-based access control can be bypassed by modifying request parameters. 6) User ID controlled by request allows retrieving other users' API keys or passwords. 7) Insecure direct object references in file downloads exposes password.

Uploaded by

Le Trung Son (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
58 views22 pages

IAW301 SE161501 Lab6

The document describes several labs demonstrating access control vulnerabilities and privilege escalation issues: 1) Unprotected admin functionality accessible at /robots.txt or other URLs. 2) Admin panel URL disclosed in JavaScript, allowing access without authorization. 3) User role controlled by request parameter 'Admin', which can be changed to access admin functionality. 4) User profile allows modifying user role via request, escalating privileges. 5) URL-based access control can be bypassed by modifying request parameters. 6) User ID controlled by request allows retrieving other users' API keys or passwords. 7) Insecure direct object references in file downloads exposes password.

Uploaded by

Le Trung Son (K16HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Access control vulnerabilities and privilege escalation

Lab: Unprotected admin functionality


Access the lab and add “/robots.txt” in URL to see this page

Because there are not any protections on this website, and the URL to access the
administrative functions had disclosed in URL “/robots.txt” (or anywhere in fact),
so replace “/robots.txt” by “/administrator-panel” (visible in the above page)
Now we have accessed to administrative functions, delete carlos user to solve the
lab.
Lab: Unprotected admin functionality with unpredictable URL
The admin panel is unprotected and located at an unpredictable location
Using BurpSuite to check the home page’s source. We see the JavaScript code
that discloses the URL of the admin panel (/admin-jjlcss)

Add “/admin-jjlcss” to the home page’s URL


Delete carlos to solve the lab
Lab: User role controlled by request parameter
Input the username and password, then submit

Using BurpSuite to see that Admin=false


Change to Admin=true and forward

The account page has Admin panel


Access the admin panel and delete carlos. When accessing and deleting, use
BurpSuite to change Admin=false to Admin=true as above
Lab: User role can be modified in user profile

Add “roleid”:2 to request


Send again and reload the page

Access admin panel and delete carlos


Lab: URL-based access control can be circumvented
Add “/admin” to the web URL. Using BurpSuite to intercept and send the request
to Repeater
Change “/admin” to “/?username=carlos” and add “X-Original-URL:
/admin/delete”
Lab: User ID controlled by request parameter
Go to the account page and use BurpSuite to intercept the request.
Change the “id=wiener” to “id=carlos”.
Retrieve and submit carlos’s API key

The API key is: V5zUuoOLAVlivhOdhEvAkDbbSQMl4zrc


Lab: User ID controlled by request parameter, with unpredictable user IDs
Go to the blog which is posted by carlos, click on and note the ID in URL
“a39b60dc-d2fc-4965-a48a-23f39b77e293”
Login, go to account page and use BurpSuite to intercept the request. Then
change the ID to carlos’ ID
Now we retrieve the API key: ObydOTYTSSWiOGMm4uR8Rw9bd4jCI8iV

Lab: User ID controlled by request parameter with data leakage in redirect


Login and go to the account page, use BurpSuite to intercept the request. Change
“id=wiener” to “id=carlos”.
The response’s body has the API key belong to carlos:
kMTtwadZEPd6KuxSmWQ6Dr2MaOeI6DFY

Submit to solve the lab


Lab: User ID controlled by request parameter with password disclosure
Login, access account page and use BurpSuite to intercept the request. Then
change “id:wiener” to “id:administrator”

Forward and check response to retrieve admin’s password : yvunr1sj6gi9jtg3z6k3


Login as administrator and delete carlos
Lab: Insecure direct object references
Go to Live chat and send a message. Then start BurpSuite to intercept View
Transcript. Send the request to Repeater

Change the number of the downloaded file to 1 to retrieve the file having
password: 1uuxx8x4kb3buyew59n6
Login to solve the lab
Lab: Unprotected admin functionality with unpredictable URL

Lab: Unprotected admin functionality with unpredictable URL

Lab: Unprotected admin functionality with unpredictable URL

Lab: Unprotected admin functionality with unpredictable URL

Lab: Unprotected admin functionality with unpredictable URL

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy