web for pentesters 2 mass assignment

For this post I’ll be going through the mass assignment examples in web for pentesters 2. Mass assignments takes advantage of how some programming frameworks allow a programmers to bind HTTP request parameters to variables. The attacker abuses this by sending request parameters to the system in hope of overwriting existing code parameters. OWASP have a great write on how it works for different languages and how to protect against it.

This walk through will show you have to exploit this flaw using a web proxy. These examples takes advantage of the mass assignment flaw found in ruby.

Example 1:

So first off load up the example page then the proxy of your choice, make sure its setup to intercept the traffic.

Then sign up as a regular user.

Once the request has been sent, go to your proxy app.

In the GET request add the parameter &user[admin]=1 after the parameters. 

Example 2:

Same as above, I think i may have done the first example a little wrong :S

 

Example 3:

This example follows the same steps as before, except instead of user[admin]=1 to get admin, you add user[company_id]=2 to gain access to company 2’s secret data.

That will be it for now, hopefully by next week I’ll have either the captcha examples done or the randomness issues example done.