WebApp Sec mailing list archives

Re: Insecure Ids - Need explanation

From: Reid Nichol <rnichol_rrc () yahoo com>
Date: Mon, 17 Apr 2006 11:50:16 -0700 (PDT)

Someone please correct me if I'm wrong.

How I would interpret this is, if you store login info in a cookie and
that login info can be guessed and the web app doesn't verify the login
info, then that's a problem.

e.g.
Say that the login id in a cookie is the user id.  Say that this can be
guessed because the user id is just an auto increment field in the DB
and the web app doesn't keep track of who is logged in aside from
trusting that the cookies are authentic because they exist.

So, an attacker could create there own cookie and see which user id's
are good ones.  Furthermore, the attacker could go through the valid
id's and see which ones have what access.

Now, if some of these users happen to have admin privileges, that would
be a rather large problem; the attacker just got him/her-self admin
privileges.


best regards,
Reid Nichol


--- susam_pal () yahoo co in wrote:

This is an extract from OWASP.

Insecure Idï¿½s ï¿½ Most web sites use some form of id, key, or index

as

a way to reference users, roles, content, objects, or functions. If
an attacker can guess these idï¿½s, and the supplied values are not
validated to ensure the are authorized for the current user, the
attacker can exercise the access control scheme freely to see what
they can access. Web applications should not rely on the secrecy of
any idï¿½s for protection. 

=================================================
Can anyone please elaborate this part,

"If an attacker can guess these idï¿½s, and the supplied values are

not

validated to ensure the are authorized for the current user, the
attacker can exercise the access control scheme freely to see what
they can access."

I have never used such ids, indexes or keys when I developed
authentication systems to reference users or roles. What kind of ids
or keys are we talking about? How can an attacker use a guessed id?

-------------------------------------------------------------------------

This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site

Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl

--------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Insecure Ids - Need explanation susam_pal (Apr 17)
- RE: Insecure Ids - Need explanation Patrick (Apr 17)
  - Re: Insecure Ids - Need explanation Andrew van der Stock (Apr 17)
- Re: Insecure Ids - Need explanation Reid Nichol (Apr 17)
- RE: Insecure Ids - Need explanation Rod Divilbiss (Apr 17)
- RE: Insecure Ids - Need explanation M. Burnett (Apr 17)
- Re: Insecure Ids - Need explanation Andrew van der Stock (Apr 17)