The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

the responsibility of each such page to perform suitable access control checks,

and confirm that the user has the relevant privileges to perform the action that

they are attempting.

However, in some cases, requests for protected resources are made directly

to the static resources themselves, which are located within the web root of the

server. For example, an online publisher may allow users to browse its book

catalog and purchase ebooks for download. Once payment has been made, the

user is directed to a download URL like the following:

https://wahh-books.com/download/0636628104.pdf

Because this is a completely static resource, it does not execute on the server,

and its contents are simply returned directly by the web server. Hence, the

resource itself cannot implement any logic to verify that the requesting user

has the required privileges. When static resources are accessed in this way, it is

highly likely that there are no effective access controls protecting them and

that anyone who knows the URL naming scheme can exploit this to access any

resources they desire. In the present case, the document name looks suspi-

ciously like an ISBN, which would enable an attacker to quickly download

every ebook produced by the publisher!

Certain types of functionality are particularly prone to this kind of problem,

including financial web sites providing access to static documents about com-

panies such as annual reports, software vendors who provide downloadable

binaries, and administrative functionality that provides access to static log

files and other sensitive data collected within the application.

Download 5,76 Mb.

Do'stlaringiz bilan baham: