Skip to main content

Broken Access Control (Tryhackme and Owaspbwa)

Linux, Networking & Security are the domains of my interest.

broken-access-control-tryhackme-owaspbwa

Access Control →It’s how web applications grant access to content & function to certain (or all) users.

Broken access control could look like

broken-access-control-tryhackme-owaspbwa

If we can access and download the below file then it's broken access control. This type of vulnerability can also be called IDOR (Insecure Direct Object Reference)

This vulnerability occurs when an application uses users supplied inputs to access objects directly.

TryHackMe (OWASP TOP 10 [Task 18])

If this is your first time working on TryHackMe and you don’t know how to set it up then, check out the bonus resource section at the end.

Navigate to: https://tryhackme.com/room/owasptop10 → Task 18

Start the machine, go to the URL & type the username & password

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

Let’s try to change the note parameter to something different

When note=2 No output

broken-access-control-tryhackme-owaspbwa

When note=3 Not output

broken-access-control-tryhackme-owaspbwa

When note=0

broken-access-control-tryhackme-owaspbwa

We got the note (or flag) from a different account which means it’s an example of a broken access control vulnerability.

OWASPBWA

(Vulnerable Machine Link and setup video in the bonus resources)

Navigate to: OWASP 2013 →A4- Insecure...References →SourceViewer

broken-access-control-tryhackme-owaspbwa

Example 1

broken-access-control-tryhackme-owaspbwa

Turn on the intercept and select any file, let’s say login.php

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

BOOM!!!

Example 2

Let’s try to modify the URL

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

Again an example of broken access control because we can see the file content that we are not supposed to view.

2. Ticket Price IDOR

Navigate to http://192.168.29.74/bWAPP/portal.php

Select the bug as

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

Turn on the intercept and confirm again with 10 tickets as input

broken-access-control-tryhackme-owaspbwa

Let’s change the price to 1EUR

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

It worked.

Only 10 EUR is deducted from our bank account instead of 150 EUR for 10 tickets.

Now change the security level to Medium

broken-access-control-tryhackme-owaspbwa

but as there is ticket_quantity we can try to add a ticket_price param & see if it works

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

Yes it worked

If we change the security level to 3 it won’t work but what if we change 2 params in that & change the security level to 0.

broken-access-control-tryhackme-owaspbwa
broken-access-control-tryhackme-owaspbwa

It works

broken-access-control-tryhackme-owaspbwa

We cheated a little bit by making ‘security_level = 0' but it’s ok.

Resources

  1. OWASPBWA vulnerable machine
  2. OWASPBWA VM setup video

1. 30+ Standard Linux Commands for Beginner or Intermediate Users

2. Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)

3. Broken Access Control (Tryhackme and Owaspbwa)

4. Html Injection (Tryhackme & Owaspbwa)

5. Command Injection (Tryhackme & Owaspbwa)

6. Website Enumeration and Information Gathering [Part 1]

7. Website Enumeration & Information Gathering [Part 2]

8. Brute Force Attack (Owaspbwa Lab, Hydra Tool)

9. Sensitive Data Exposure (Tryhackme)

10. Broken Authentication (Tryhackme and Owaspbwa)

11. Security Misconfiguration (Tryhackme)

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Ashutosh Singh Patel