You could do some security testing, Part 1

On December 2, 2011, in Security, Software Testing, by Indrek Kõnnussaar

There is a class of dangerous security issues that can be found by .. just looking around. You don’t really need technical knowledge to identify these issues, just the regular exploratory testing skills. Sounds good, right?

Take a look at OWASP Top 10 Application Security risks. Specifically, A8 – Failure to Restrict URL Access.

This is a very simple class of problems. The developers simply forgot to authenticate users properly before letting them do something. (Creating new users with administrative privileges, for example. True story.)

OWASP classifies this as an uncommon bug. Based on my (granted, somewhat limited) personal experience, I’d classify this as a really common bug. This is a an easy mistake to make and it’s even easier to fix it, but the problem is that regular users may discover it. If there is a SQL injection flaw in a web application, regular users won’t notice a thing. If there is an ‘edit’ button visible when viewing another user’s profile.. well, the situation is not so good (again, true story).

How to find these problems

Finding these bugs in traditional web applications is really simple. Keep your eye on the browser’s address bar. Whenever you’re doing something that other users or visitors should not be able to do, save the URL. If you view that URL as another user with different/lower privileges and as a logged-out visitor, you might find something interesting. It’s probably easiest to use multiple browsers for this, while being logged in different accounts (or logged out) with different browsers.

Taking it further: URL manipulation

In generic web applications, you can usually find variables in the URL at some point. For example, in a simple web application this URL might correspond to your profile editing page:

/users?id=105&action=edit

or

/users/id/105/edit

or any other variation.

In this situation, try changing the number to see if you can edit another user’s profile.

Now, you might be thinking: oh come on, you’re just giving me some overly simplified examples, stuff like this couldn’t possibly work in real applications.

Have you heard of the Citibank hacking incident?

“…Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data…” – NYTimes.com

„Once inside“ refers to logging in as a regular customer.

Mistakes like these happen more often than you’d want to believe. Seriously.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>