WebApp Sec mailing list archives
RE: Insecure Ids - Need explanation
From: "Patrick" <patrick () curioustechnology com>
Date: Mon, 17 Apr 2006 13:54:27 -0700
It's worded confusingly, but I think the point they're trying to get across here is that if you have an easily guessable function- let's say you have a web application that you notice has the following url: http://www.example.com/default.asp?getContent You later notice that you can get a specific piece of content with the next url: http://www.example.com/default.asp?getContentByContent?Id=23921 The naming convention is pretty easy to get a handle on here, and it's no great leap of the imagination to see that you may be able to delete that exact content with the following url: http://www.example.com/default.asp?deleteContentByContentId?Id=23921 So if your application doesn't do a check to see that the caller is authenticated for a given function, then anyone can perform that function. Because there is a pretty common set of assumptions for managed web applications with respect to design, you're likely to see attacks that will be derivatives of this id guessing approach. And ID's don't have to be words- they could be numbers. If they're based on a database's primary keys, they're likely to be sequential, so once you've got one ID, you can start looking for numbers within range of your that to tinker with. The moral of the story is: authenticate a user and then check for authorization for your function calls. Don't rely on obscure urls that can only be found by clicking a certain page as the level of security needed for keeping people out of administrative features on your applications. -Patrick -----Original Message----- From: susam_pal () yahoo co in [mailto:susam_pal () yahoo co in] Sent: Monday, April 17, 2006 9:19 AM To: webappsec () securityfocus com Subject: Insecure Ids - Need explanation This is an extract from OWASP. Insecure Id's - Most web sites use some form of id, key, or index as a way to reference users, roles, content, objects, or functions. If an attacker can guess these id's, and the supplied values are not validated to ensure the are authorized for the current user, the attacker can exercise the access control scheme freely to see what they can access. Web applications should not rely on the secrecy of any id's for protection. ================================================= Can anyone please elaborate this part, "If an attacker can guess these id's, and the supplied values are not validated to ensure the are authorized for the current user, the attacker can exercise the access control scheme freely to see what they can access." I have never used such ids, indexes or keys when I developed authentication systems to reference users or roles. What kind of ids or keys are we talking about? How can an attacker use a guessed id? ------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl -------------------------------------------------------------------------- ------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Insecure Ids - Need explanation susam_pal (Apr 17)
- RE: Insecure Ids - Need explanation Patrick (Apr 17)
- Re: Insecure Ids - Need explanation Andrew van der Stock (Apr 17)
- Re: Insecure Ids - Need explanation Reid Nichol (Apr 17)
- RE: Insecure Ids - Need explanation Rod Divilbiss (Apr 17)
- RE: Insecure Ids - Need explanation M. Burnett (Apr 17)
- Re: Insecure Ids - Need explanation Andrew van der Stock (Apr 17)
- RE: Insecure Ids - Need explanation Patrick (Apr 17)