Re: [WEB SECURITY] Header information

[Chris Patten <cpatten@xxxxxxxxxx>]

Ricky, if the header parameter is presented to the web browser, which
this sounds to be the case, use an inline application proxy to perform
the verification. This will allow you to capture the HTTP
Request/Response, and evaluate all the data within.

In this case, trap the HTTP Request and change the "consumerID" to
whatever value you want and forward the Request onto the Server. Then
verify if you have vertical privilege escalation. 

Many proxy solutions exist, but I personally prefer Portswigger's
"BurpSuite". You may also want to check out OWASP's "WebScarab.


On Tue, 2008-07-01 at 13:40 +0000, Ricky wrote:
>   
> Hi All,
> 
> While doing a code review of the application, i came across a
> scenario, in which Id is taken from header. 
> 
> If the id is '0' then user is Admin else normal user.
> 
> My doubt: Is the code below is vulnerable to elevation of
> privilege.(by changing the value to 0) 
> 
> Also, which tool i can use to cross verify it in the browser.
> 
> I tried to change consumerID variable using some tool including
> fiddler and few others, but unable to see the "consumerID" variable
> 
> <%
> // Get the consumer Id from the headers
> // and render the JSP if the consumer is not a Admin
> 
> String consumerID = request.getHeader("ConsumerID");
> 
> if((consumerID != null && !consumerID.equals("0"))) 
> {
> %>
>      <jsp:doBody />
> <%
> }
> %>
> 
> Thanks in advance
> 
> ~Nik
> 
> 
> 
> 
-- 
Thanks,
Chris Patten
Sunera LLC
cpatten[at]sunera.com
813-480-6505



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA