One of the easiest ways to get around poor security in a web application is to alter the URL at the top of the web browser to point to another record that the user does not own.

“The media storage library worked really well, faster than we expected.  To view our image we entered the image number on a screen form and clicked the [view] button.  We tried increasing the image number on the form to an image owned by somebody else – access denied – fair enough.  Then we viewed one of our own images and altered the URL in the browser.  We could see somebody else's image!  Of course we didn't buy that media storage system”

Normally there would be a permission check as the result of every request that hits the server – one for each action button on all screens.

In “Company X”, digital copies of financial letters sent out to customers were also made available in PDF form on the Internet.  A customer could log into the website to see a link to download a copy of their letter.  The url was:

http://{domain}/secure/customer/letter335.pdf  (335 was the sequential ID of the customer)

Of course, the first thing one sneaky customer did was log in to view their own letter, then change the '335' in the URL to '336' to see if it was secured properly.   

http://{domain}/secure/customer/letter336.pdf 

Using this method they were able to view customer 336's financial information, breaching government privacy legislation.  They wrote a script to download all the PDFs and began reading sensitive information about competitors.  Worse, '..' inserted in the URL gave access to the entire secure folder on the file system, including company X's financial statements:

http://{domain}/secure/customer/../

It wasn't long before Company X was in the news.
blog comments powered by Disqus