OWASP Security Shepherd Project - Insecure Object Reference Bank (Insecure Direct Object Reference Challenge)
Challenge
Solution
In this challenge, we need to transfer enough money into specific account for passing it.Let's register an account with account/password as admin/admin and then login with the account we just created.
Currently, we have $0 in our account. Let's try to transfer money to see what happens in HTTP requests.
It seems that our account number is 3. That's try to transfer as much money as we can from every other account numbers other than 3 (For example, 1,2,4,5 ...).
It seems that we have successfully transfer money from account 2 to 3. Let's logout and login again to our account admin.
So... Because the bank application use sequential integers as user account ID and doesn't check the authentication issue, we could transfer the money freely between any accounts in the bank! Horrible!!
留言
張貼留言
Welcome to share your comments or questions : -)
Enjoy life!