[Mozhe Academy] Identity Authentication Failure Vulnerability Actual Combat

We can see a login platform when we enter the shooting range. Only one login account and password test/test are given below. Try to log in

Log in to see personal information, but no clues are found. We try BurpSuite to capture packets for more information

We found two packets, from the second we can find card_id=20128880322

We can find that this is the same as the membership number, guess it is to output each person's personal information according to the membership number

We use the attack module to blast this id

Add the last two numeric variables to try to blast

Set the value as the attack load, the range is 1-99, each time increases by 1

Determine which numbers have personal information based on their lengths

View the source code of the login interface and find that Ma Chunsheng's id is 16, we continue to go back to the attack module to check the response packet of 16

It can be found that the account number is m233241, and the password is MD5 encrypted. We decrypt it and get 9732343

Try to log in with your account and password

Sign in successfully and get key

Thoughts

Be sure to carefully discover some parameters in the data package, and then use what you have learned to try to find breakthrough points

Summary
Broken Access Control (BAC) is a common vulnerability in Web applications.OWASP ranks second in the top ten security risks of web applications.

This vulnerability refers to a flaw in the application's authorization check, allowing an attacker to bypass the permission check in some ways after obtaining a low-privileged user account, access or operate otheruser or higher.The reason for the unauthorized vulnerability is mainly because developers over-trust the data requested by the client when adding, deleting, modifying, and querying data, and omit the judgment of permissions.Unauthorized access vulnerabilities are mainly divided into horizontal unauthorized access and vertical unauthorized access.

Repair defense plan

1. The front and back ends simultaneously verify the user input information, double verification mechanism

2. Verify that the user has permission to call the relevant function before calling the function

3. Before performing key operations, the user's identity must be verified to verify whether the user has permission to operate data

4. Encrypted resource ID of direct object reference to prevent attackers from enumerating IDs and specializing sensitive data

5. Never trust input from users, and strictly check and filter controllable parameters