Web Security with Python | Insecure Direct Object References

Cyber Security Python
Transcript

English (Auto-generated)

everyone it is heads. And today we're going to learn about my door or insecure direct object references. That's where you know you're loading up messages or some other secret thing and you do it with a number right? Like 123. And it only checks that when you when it loads up the messages it make sure you're logged in. But it doesn't make sure that your user should have access to that message. Okay. And if that doesn't make sense yet. Don't worry because we're going to code it up right now. So the first thing we're gonna do is I have this little starter Hello World app. First thing we're gonna do is make an app in flats that allows you to read messages. So I'll just make something called user exceptions. Normally we would implement authentication and science session cookies. But to make life a little easier, I'm going to hand code some sessions. We pretend that these would be like session cookies basically kim what did I say? Their admin admin? No, thank you. We'll call this joe you know what we'll do? The good old bob and Alice. Great. All right. And we'll have an api point where you can load a message and we will not give it a user name. We will give it a you get an I. D. And I think I can find a type like that. I'll just Yeah, I think so. And I'll go and put I'd be here and just to make sure it's working let uh Alright convert to a stream because you can't turn into yours uh and blast like that. I'm gonna add one to it just to make sure that it is an integer to like make sure I'm understanding it. Alright great. Let's see if it works. Sorry my windows open today. There's a bunch of pollen. I have the sniffles like crazy. I have been a very tropical area. Okay so we got to run this flask run. Oh no I. D. Does not exist. Okay what is this? I think that's how you do it. There we go. And since you can only see a command and I'm gonna do this all in curl. Say let's get messages and let's get message four and it should give us the number five And messages its message and it gives us five. Perfect. Alright beautiful. So let's set it up so that we have an authentication so that if you say your you know such and such person we can make sure that you really are that person. And I guess I should switch these because the session would be a random number. Like the session would be the thing. That's a crazy random number and that would go along with the huge man. So there you go. Yeah. Alright perfect. So when they're requesting they should submit a cookie. So I'll say cookie pick roles. Beautiful college session. That's good and I have to import request. Let's see if the way I figure it out. Okay. Too many things. Okay great. Getting requests there. I have the cookie and now I will say that the user we all say not so by default will give me none. I'll say if fashion cookie it's none return no session cookie found and a 403. Not authorized error. I think that's what 403 is. I'm gonna google that real quick. I forget. Yeah forbidden forbidden perfect session. You're forbidden. Oh okay. Alright and I forget how to add cookies to curl because I'm gonna use curl. Thank you. Mhm. Oh it's literally dash dash cookie. Okay so just do this. I write I have to I have to restart the app running in flask. Okay flats run and no session cookie found. OMG what am I gonna do? Well let's add a session cookie backslash cookie equals and I think you just stay back that and the cookie is going to say that it's gonna be called the session it's going to equal 12345. Who will that make me? That'll make me bob and great. Now it works. Right um so let's actually return to messages. Let's say we have messages, messages can be messages can be I don't know um We could use an array of messages we could use a dictionary I guess since we're passing this number like that it could be the index. I'm not really sure how to do it. Let's just use indexing like this. Oh great. That is beautiful wow. Okay so okay what we're gonna do is we're gonna return the message at that index. Right? So the only indexes will have are zero and one. So I will return messages. And I'm gonna give it at the index they give us which is I. D. That's it. Let's see how that that should that should give us whatever message we asked for. As long as we have a valid session could be. And I have a dimensional server error list. Index out of range. Why? Because I'm still giving uh only have zero and one. Right? So what I should do and say try this and if there's an index error then I'll return message not found. Er Four exceptions are actually very inefficient in python. So it would probably be best to actually just see if that's bigger than the length and act accordingly. But yeah we'll do this because it works and that should handle that. So let's try just make sure we get that 404 five and great message. Not found beautiful. All right. And if we try one that we should get like one we get Hello world user Alice and zero user bob. But wait a second we're authenticating as bob. Right? 12345 is the session cookie of Bob. Alright, so we should be able to access Bob's message which is #0. Okay. We shouldn't be able to access that. So what do we do and what's the solution? Well well well all we have to do, I mean we've seen how we've developed this and it makes sense right? We you have to have a valid session cookies so we have some security here but we're not making sure that the person getting the message is actually the person that message belongs to. And this is realistic because you could have an A. P. I. That's just saying hey you give us the idea, we give you the message, you're authenticated and the app uh you know loads up like message equals one. The person sees that they change it and they see they can get someone else's message. It happens all the time. It used to be in the spotlight A wasp top 10 I think it isn't anymore but but let's see what happens. So imagine we had our Junior Dev Dave come in here and be like oh I've implemented this amazing feature, you know hacker harry comes in, he's bob, I should have called him harry because he's hacker Harry but whatever he's bob, he goes and see if he can read his message. Just try changing the 0 to 1 and says whoa they're not making sure that that the session cookie correlates that the user correlates basically to the person who actually owns that message. They're just saying hey load up messages for that user and that's it? Wonderful what are we gonna do about it? Well it's super super easy. So here where we say okay the session cookie is legit. Okay well we want to make sure is that the user is correct? So how do we get the user? We'll just have another check here. Well let's say because we will say user equals at okay if none then. And they've actually uh they actually have submitted an invalid session cookie. So that's one possibility is that there is no user but then we want to make sure that this user matches whatever message we're about to get. So what we want to say is and we'll put this inside of the try block because we're gonna be accessing this by its I. D. I would say if messages I. D. User does not equal the user and we say hey that's not your message. Beautiful. That's all we got to say. So let's restart the app. And let's make our request first. We're gonna try request, we should be able to do right? We have the session 12345 here and we're gonna access the message that belongs to Bob. Who's session cookie? That is great message. Hello world user bob. I'd rather we have from and a bunch of other cool data but we're keeping it minimal here and let's see what's happened has has a senior dev Samantha came in. She had these awesome security checks isn't she the best. I'm gonna try to access that other message. Not your message. Beautiful. We are now totally hacker proof. I'm sure there's still many things we can improve here. I mean obviously there are but and you know, feel free to comment and if you see anything. But yeah, there you go. I hope that was helpful for you. That is I door or insecure direct object reference. It's sort of a classic vulnerability. So I hope that's been helpful. Thanks a lot for your time. And I will see you in the next cast by by.
45 Views 0 Likes 0 Comments

Let's say you log into a site and load your messages. You notice the messages each have an ID number. What if you could put in a different ID number, and access someone else's messages?

Comment
Leave a comment (supports markdown format)