15 - Authorisation Bypass (low/med/high) - Damn Vulnerable Web Application (DVWA)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at the authorization bypass lab in the damn vulnerable web application it's been a couple of years since I made a video for this series I didn't realize until recently that they'd made some new Labs so I figured I'd make the videos for the remaining labs and I do intend to remake this series at some point because I'm not really happy with the quality of the earlier videos I kind of rushed them not really expecting them to get very many views and I hadn't really been making videos very long at the time so every time I get like comments on them and I have to go and review the video to answer questions I'm always disappointed with particularly the audio quality but it's kind of hard getting used to talking to not a camera in this case but just talking to yourself I guess and I think I've got a bit better at it now so hopefully these next two episodes will be better than the rest of the series if you've been following it through until now okay so let's start with the lab it says this page should be accessible by the Admin user and your challenge is to gain access to Features using one of the other users for example Gordon B abc123 so we're currently logged in as the admin we're on the low difficulty and we need to go and log in as Gordon B with abc123 and then essentially this page is going to disappear and we need to try and find a way to access it so let me open up a private window so we can log in as this new user go and log in as Gordon we've already got the credentials saved and then let's go back down to this lab so we've got the difficulty on low we go to oh we can't go to the lab that's right because the lab's not showing so what we might do here first of all is just have a look at the source code or we can use the inspector at F12 to actually click here and see what should be there we could view the source and just search for authorization with control and F but there isn't actually anything there in this case however if we go back to the page we're on previously let's refresh this one let's go and have a look at burp Suites we'll open up our proxy you can also just do this with the dev tools as well that's fine and here we've got the path so why don't we just take a copy of this and add this here so even though we're logged in as Gordon B and we've got the difficulty on low at the moment we were still able to access this page despite it not being listed so this is a nice opportunity to talk about what is Access Control I'm over on the portswick web Security Academy at the moment and I just want to mention is this is something particularly when getting started that can be very confusing is the difference between authentication authorization so authentication identifies the user and confirms that they are who they say they are so for example when you log into an application you provide your username password and that's what you do and you're authenticating yourself proving that you are that user because you have that user's password or you have some kind of biometric data or a two-factor authentication or whatever it may be session management identifies which subsequent hcp requests are being made by the same user so once the user logs in how do you track which requests are going from that user and back to that user from the server so that's the session management and then Access Control determines whether the user is allowed carry out the action they're attempting to perform so here's a difference authentication and authorization authentication is as logged in and authorization is whether we can access different parts of the application what we're authorized to do as that user so we might have a roll of admin or we might have a role of a staff member we might have a role of a standard user and it's very important that for example a standard user can't simply make a request like we just did there directly to a page without that authorization check being done and that's also a good time to talk about insecure direct object references and that's exactly what we've done really we've accessed an object directly without authorization another example here would be if we were trying to access an account for example let's say our account was 420 and then we try and change that 420 to 132355 and try to access a page is is there any authorization check is there anything there to make sure that we are that customer and if not then we've got an idea of vulnerability if we can access this page without having the authorization that should be tied to that customer then there's an idle vulnerability another example is being able to directly access files that you shouldn't have permission to I realized I forgot to read the objective of the lab so our goal is to test the user management system at all four levels of security to identify any areas where authorization checks have been missed systems only designed to be accessed by the Admin user so we need to look at the cores made when logged in as the admin and then try to reproduce them when logged in as a different user and that's exactly what you do in a real application so if you're able to register a user for free on a book Bounty program and you go and try to perform some actions maybe it's changing a password maybe it's updating some information and then if you go and create a new account can you send some of those same requests through with a different ID number attached to them so on to the medium level it says the developer is locked down access to HTML on the page but look at how the page is populated when logged in as the admin so let's go back to our private window let's refresh the page so we've got this in burp as well and that's the page I'm gonna in fact let's go back to our non-private window let's go and change the difficulty here change that to medium submit and then we'll refresh the page it's now at medium oh with an admin here so that's the wrong place I should be doing it here all right change it to medium we can't go to the page now because that's the whole point of the challenge so let's grab that URL again from burp we'll go and paste that in here and now it says unauthorized so there's a few things you could try and do here one thing is we might just want to try and take this to the repeater and see can we use any other request types so can we actually let me change that first to options and we just get one authorized there okay but maybe we'd be able to try head or maybe we could just change it to a post request change the request method send unauthorized all right so that didn't work but that's one thing with trying I have seen this happening in the past where you're able to get access to information by changing the request method however what we can do if we go back to I don't have it in the repeater let me go and find it so we actually have this getuserdata.php so what if we try to access that file directly and there we go we get black or data so this is actually getting the data directly back from the API it's not in the same format and we're not able to interact with it we can't change the data from here although we could but just not with this get request but we still get access to the data all the same okay so on to the high level it says that both the HTML page and the API to retrieve data have been locked down but what about updates and data you have to make sure you test every call to the site so let us do that we can first of all it's going to change that to hi we'll submit that and we'll we can't go I keep going trying to go back to the page I'm just so used to doing that but we can't so let's go back to our admin window I'm going to click update here to update one of the details and then go and grab this request and there's a couple of ways we could do this we could basically change our cookie to be the same as the cookie we're using change the difficulty on the cookie and that will make this change on our other account the I've got its name now um I always forget the usernames it's Gordon B so that's one thing we could do we could also make the request here while we have open our Dev tools so let's do a update oh let me go to network update and you could grab this request you can actually do copy and then there's a lot of different ways you can grab this data you can copy as a curl command for example so you could then just go and paste it into the terminal and go and update whatever you wanted to but yeah I'm just gonna use burp Suite what I'll do is send our let's go to our high level here let me just refresh this page and then I'll send that to the repeater and then I'm going to grab this cookie which is set to high and grab that info and then let's get our update send that's the repeater and just change the cookie send and there we go okay so that's three idle vulnerabilities that we looked at the first two allowed us to access data that we shouldn't be able to with our level of authorization so we bypass that authorization mechanism which was essentially just to hide the page and then in the second example the page wasn't hidden while the page was hidden but we still couldn't access it directly it was the actual file that we needed and then the final one allowed us to modify information which we shouldn't be able to so three different idle vulnerabilities again these are the sort of things you might see in an application where you see like a password reset procedure or something like that I didn't really do too much testing on the impossible level maybe there are some vulnerabilities it does say there might be some non-authorization related issues but if you do find any authorization issues on here with the impossible level then you can report them on the GitHub because maybe there are some issues which nobody has found yet normally in these videos I review The Source Code as well but the source code wasn't displayed for these levels in fact the first couple of levels it actually said there wasn't anything of Interest I believe in this case it says you can have a look at these two files for vulnerabilities but it's not displaying them here so I'm going to skip it in this instance and the next video then we'll be looking at the open HTTP redirect and then hopefully after that before there's any new Labs I'll get chance to go back through and remake some of these episodes in a better quality format anyway hope you've enjoyed this video if you have any questions or comments as ever leave them down below thanks

Info

Channel: CryptoCat

Views: 5,332

Rating: undefined out of 5

Keywords: authorisation bypass, auth bypass, IDOR, insecure direct object reference, access control, DVWA, damn vulnerable web application, burp, burp suite, bug bounty, ctf, exploit, capture the flag, hacking, pen-testing, web security, brute force, command injection, file inclusion, file upload, insecure captcha, sql injection, weak session ids, xss, csp bypass, lfi, rfi, owasp, secure coding, vulnerabilities, appsec, websec, infosec, tutorial, walkthrough, scripts, client-side, devtools, cyber-security

Id: Qcgu34eWQa4

Channel Id: undefined

Length: 10min 28sec (628 seconds)

Published: Sat May 20 2023