To finish up the week(end) we’re working on catching up the Advent of Cyber tasks, and today is focused on Web Applications, which works pretty well in my currelt project of going through the APISec University course on API hacking, but more about that later next year.
Day 14
What is the office number of Elf Pivot McRed?
Once both the target host and AttackBox boot up we’ll navigate to http://$IP:8080 and login with the credentials mcskidy:devtest. We’re shown a simple page with some information about ourselves, and if we look at the URL we can see that it ends in 101.html. This is where IDOR (Insecure Direct Object Reference) comes into play.
We can change the link to e.g., 102.html, and while with a correctly configured and secured system we shouldn’t be able to access other profiles like that, in this case we can. This is a massive vulnerability that affects confidentiality of information, and could possibly lead into even bigger breaches.
In our case we simply try accessing new pages by increasing the number, and soon enough we come across the profile of Elf Pivot McRed and find out answer.
Not only profile pages but also stored images are vulnerable. Start with a URL of a valid profile image; what is the hidden flag?
Next we’ll copy the URL to one of the profile images. They seem to follow the naming convention of the profiles, so we could try to access some new information that way. Either increase or decrease (did you choose right the first time?) the number and soon enough you’ll find the flag, finishing up the task of the day.
Today was a short one, as IDOR is a rather simple concept but could lead into massive breaches since it could allow the attacker to access information they should not be able to.