Business Logic Vulnerabilities - Lab #3 Inconsistent security controls | Short Version

hi everyone welcome back to another video in the web Security Academy Series in today's video we'll be covering lab number three in the business logic vulnerabilities module titled inconsistent security controls all right let's get started this lab's flawed logic allows arbitrary users to access administrative functionality that should only be available to company employees to solve the lab access the admin panel and delete Carlos all right so the target goal over here is to explore the logic flaw to access the admin panel and then delete the Carlos user let's access lab now notice over here this is the built-in browser in burp and so all my requests are already being recorded in my burp proxy all right so the first thing that I'm going to do is try and look for this admin panel so um in a real world engagement what you could do is you could go to the Target endpoint over here and then from here click on uh discover content so under I believe it was engagement tools and what that'll do is it'll fuse the application to see if there's any directories that are hidden however we're using the community edition of burp and so what we're going to do is we're just going to fuzz it manually and try to find the admin panel so my first guess is going to be slash admin let's see if that works and it does so we could you could see over here this is the admin interface however it's only available if you're logged in as a don't want to cry user so you have to be in order to log in as the admin interface which means that we need to either compromise this user account or somehow exploit a vulnerability in the application that allows us to become um part of that category of users so if you click on my account and we go back to proxy it allows you to log in we weren't given credentials so what I'm going to do is I'm going to click on register and see if it allows me to register a user so the first thing that I'm going to do is um add a username so test and then I'm going to add a user that has this endpoint over here and if it allows me to register without actually confirming my registration by sending me an email to this specific email address then I should be able to log in with that specific email address so that would be a vulnerability on its own but let's see that works so test ATAC cry. com and then let's say the password is test click register over here it says please check your emails for your account registration link of course I don't have access to that email and so what I'm going to do is I'm going to see if it allows me to log in without confirming my registration so test was the username and then the password was also test hit login and it doesn't so it looks like I need to register with an account where I can actually go to that email address and confirm my registration now the nice thing about the web Security Academy is that it's self-sufficient so over here you don't have to create a fake email and then use it in order to register they already have an email client for you so let's copy that would be our email address let's register using it so let's say test two this is our email address and then the password is just test hit register it says it sent the registration link to that email address so let's reload it to see if now we have something in our inbox and we do so this is the registration link right over here we're going to click on it says account registration is successful and if we click on my account right now and try to log in using those credentials so test two and then the password was just test hit login and we've logged into the application now again if we try to access the admin panel it won't let us access it because it says you have to be a don't want to cry user in order to access the admin panel so I'm going to go back and I need to find a vulnerability in the application so that I could change my email address to one in the don't want to cry domain so that I can access the admin panel so we do have um a functionality that allows you to update an email address and so let's try and update it to Testa don'twant cry. com hit email and it doesn't look like it requires me to confirm that email or that I actually own that email address and so let's try and access the admin panel right now and here we go we're able to access the admin panel because it has unfettered access to anyone that has an email address in that domain or can fool the application into thinking that they have an email address for that domain and now I can delete the Carlos

user and you could see it says congratulations you solve the lab all right so we successfully completed the exercise by exploiting the vulnerability manually usually we script all of our exploits in Python however since this lab requires you to have an email server you could technically still script it using the email server in the web Security Academy however to me I like my scripts to only be dependent on the application itself and nothing EX internal other than that and so if I were to script the exploit I would create a fake email address for myself and then access my email client in order to uh retrieve that specific email address and that's something that I've done in previous engagements where you've got a bot that parses the email address and then extracts the link that you need in order to complete the exercise however that requires Advanced python skills and so it's out of scope for this video all right in the next Lab we'll look at a more complex case of a business logic vulnerability if you like the video hit the Subscribe and share button so that the video reaches a wider audience also make sure to check out my course if you're interested in seeing more videos like this one thank you and see you in the next video