close

[題目]

  The developer of the vulnerable application has implemented a logged in page but has forgotten to add an important check. Find a way to bypass the login page.

       You have the vulnerable code below. See if you can spot the programming error.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
/**
 * Servlet implementation class Ch1Loggedin
 */
@WebServlet("/Ch1Loggedin")
public class Ch1Loggedin extends HttpServlet {
    private static final long serialVersionUID = 1L;

    /**
    * Verifies if the user is authenticated
    * @param request
    * @return
    */
    protected boolean isAuthenticated(HttpServletRequest request){
        String authToken = (String) request.getSession().getAttribute("authToken");
        Cookie[] cookies = request.getCookies();
        boolean isAuth = false;
        if(cookies != null) {
            for (int i = 0; i < cookies.length; i++) {
                Cookie cookie=cookies[i];
                String cookieName = cookie.getName();
                String cookieValue = cookie.getValue();
                if(cookieName.equals("authToken") && cookieValue.equals(authToken)) return true;
            }
        }
        return isAuth;
    }


    /**
    * @see HttpServlet#HttpServlet()
    */
    public Ch1Loggedin() {
        super();
    }

    /**
    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
    */
    @SuppressWarnings("unused")
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        response.getWriter().println("You're logged in");
    }
}

[題目說明]

  這一題是要我們根據以上的JSP Java Code 找出漏洞可以讓我們不用登入網頁就可以存取網站需要登入才能使用的功能。

[弱點提示]

The purpose of this challenge is to demonstrate the MITRE Top 25 programming flaw: 'Missing Authentication for Critical Function'. 

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

From MITRE CWE 306

該弱點被提報到CEW 306,該弱點被認為是軟體在執行需要User Identify以及若干會存取大量重要資源的功能時,軟體並未確實實作Authentication 到這些功能上,導致駭客可以繞過登入驗證存取這些功能。

 

[解答]

  1. 進入網頁 https://securecodingdojo/insecureinc/ch1.jsp

可以看到該網頁要求輸入帳密才可以進入下一動,但我們沒有可用的ID/PW,所以要從題目給的網頁Source Code查看可以用來繞過這一頁面的資訊。

 

  1. URL 改成 https://securecodingdojo/insecureinc/Ch1Loggedin

@WebServlet("/Ch1Loggedin") ,在Source Code中,該行揭示了一個可以訪問的web servlet url : /ch1Loggedin ,且該url 在建構時預設執行父類別 HttpServlet 的建構式

public Ch1Loggedin() {

        super();

    }

Ch1Loggedin 時,只會執行父類別的建構式,而我們訪問網頁是用Get Method,所以會觸發父類別的doGet function:

/**

    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)

    */

    @SuppressWarnings("unused")

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        response.getWriter().println("You're logged in");

    }

doGet並未call 任何authentication function,也就是說當我們訪問Ch1Loggedin時,並不需要登入驗證,故破解此網站。

 

 

2018828日星期二

arrow
arrow
    文章標籤
    CWE Servlet JSP 資安 資訊安全 破解 駭客 authentication WebServlet
    全站熱搜
    創作者介紹
    創作者 jackterrylau 的頭像
    jackterrylau

    儒道哲學的浪漫人生

    jackterrylau 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄