WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Insecure Ids - Need explanation

From: "M. Burnett" <mb () xato net>
Date: Mon, 17 Apr 2006 10:53:33 -0600
Web developers commonly use URL's like this
www.example.com/view.asp?pageid=1&userid=123

There are two examples of ID's. Developers commonly use these to identify
users, user levels, or to navigate a database-driven web application.

My first thought when I see something like that is what will happen if I
change either of those ID's. Will I be able to gain accesss to a page I
shouldn't have access to? Can I just change the userid to trick the site
into thinking I am another user? You must have some mechanism in place to
prevent users from jumping around your security system just by playing
around with those ID's. 

Flaws like this aren't as common as they used to be but I still see them.
Many, many web sites have been compromised over the years because they never
anticipated someone playing around with the URL. But it's not just the
URL--you also have to watch POST variables, cookies, and other forms of user
input.

The problem with ID's is that they are so often sequential or otherwise
predictable. Usually a user ID of 0 or 1 is the most interesting user,
perhaps an administrator or developer. Sometimes an invalid ID will produce
interesting results. 


Mark Burnett





-----Original Message-----
From: susam_pal () yahoo co in [mailto:susam_pal () yahoo co in] 
Sent: Monday, April 17, 2006 10:19 AM
To: webappsec () securityfocus com
Subject: Insecure Ids - Need explanation

This is an extract from OWASP.

Insecure Id's - Most web sites use some form of id, key, or index as a way
to reference users, roles, content, objects, or functions. If an attacker
can guess these id's, and the supplied values are not validated to ensure
the are authorized for the current user, the attacker can exercise the
access control scheme freely to see what they can access. Web applications
should not rely on the secrecy of any id's for protection. 

=================================================
Can anyone please elaborate this part,

"If an attacker can guess these id's, and the supplied values are not
validated to ensure the are authorized for the current user, the attacker
can exercise the access control scheme freely to see what they can access."

I have never used such ids, indexes or keys when I developed authentication
systems to reference users or roles. What kind of ids or keys are we talking
about? How can an attacker use a guessed id?

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world examples
of recent hacking methods such as: SQL Injection, Cross Site Scripting and
Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: