Users interact indirectly with web servers. Users must access web servers through browsers (Firefox, Chrome, etc.). Servers are vulnerable to attacks because developers don't have control over which browser a client uses to access their website or what information a user submits to the server. Therefore servers can't trust all requests submitted by the client's browser. Server-side validation needs to take place in order to prevent exploits from users.
Tutorial Part 1: Elevation of Privileges
In this Gruyere tutorial I am going to convert my regular user account to an administrator account with special privileges not normally available to ordinary users.
This can be accomplished by simply editing the url:
http://google-gruyere.appspot.com/123/saveprofile?action=update&is_admin=True
This exploit works because there is no server-side validation. Validation on the server would notice the request is coming from a user without administrative privileges and will deny the request to update the profile to have admin rights.
Tutorial Part 2: Cookie Manipulation
Since cookies are saved on the client-side, they a vulnerable to manipulations. In this part of the tutorial I will manipulate my cookie object to look like a cookie from another user.
Google Gruyere issues cookies in the following format: hash | username | admin | author
Because Gruyere does not limit the number of characters in a username I can create the following username: foo|admin|author
The code used to parse cookies on the server-side is tolerant of abnormal cookies-- a cookie string with varying characters and lengths will still be read by the server. This means that an attacker doesn't need to know how cookies are parsed on the server-side to pass a malicious cookie.
By inputing the string (foo|admin|author) into the username field I have successfully created an account which will return a cookie for someone with the username 'foo' and with admin rights.
Fix:
To protect against cookie manipulation a hash function should be implemented into each cookie. A hash algorithm maps data to a specific length. This hash code is stored on the server when a cookie object is issued in a response from the server to the client. The hash value is verified on the server when the client returns the cookie in a request.Source:
http://google-gruyere.appspot.com/part3#3__client_state_manipulation
javascript:alert('hello');
ReplyDelete