In this walk through, we will be going through the Insecure DOR (Change Secret) vulnerability section from bWAPP Labs. We will be exploring and exploiting IDOR in Change Secret implementations and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
Security: Low
- Setting the security level to Low.
- The application has change secret functionality where a user can change his secret. It issues a POST request to insecure_direct_object_ref_1.php file to save the secret in the DB.
- As per the source code and the intercepted request, it is sending the username with the input secret however it has been hardcoded and is being hidden in the page source. Changing the username cause the IDOR. I changed it to another user A.I.M in the system and was able to change it successfully.
- Checking the changed secret in the DB.
root@568543f550ea:/var/www/html/logs# mysql -u root -p mysql> show database(); ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database()' at line 1 mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | bWAPP | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.01 sec) mysql> use bWAPP; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select * from users; +----+--------+------------------------------------------+--------------------------+-------------------------------------+-----------------+-----------+------------+-------+ | id | login | password | email | secret | activation_code | activated | reset_code | admin | +----+--------+------------------------------------------+--------------------------+-------------------------------------+-----------------+-----------+------------+-------+ | 1 | A.I.M. | 6885858486f31043e5839c735d99457f045affd0 | [email protected] | A.I.M. or Authentication Is Missing | NULL | 1 | NULL | 1 | | 2 | bee | 6885858486f31043e5839c735d99457f045affd0 | [email protected] | Hello Friend | NULL | 1 | NULL | 1 | +----+--------+------------------------------------------+--------------------------+-------------------------------------+-----------------+-----------+------------+-------+ 2 rows in set (0.00 sec) mysql>
Also Read: bWAPP – HTML5 Web Storage (Secret)
Conclusion:
So, we finally completed all the security levels for the bWAPP Insecure DOR (Change Secret) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. IDOR attacks can be mitigated by implementing access control checks for each object that users are trying to access. The Web frameworks often provide ways to facilitate this. Along with that, avoid exposing identifiers in URLs and POST bodies if possible. Instead, determine the currently authenticated user from session information. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.