Thursday, October 11, 2012

This year's top complex web attack

My two year old is learning to count. As far as he's concerned, it's just a fun way to chant while in the car. However, I will say that one of the things we see over and over in our assessments of web applications is web developers thinking that we cannot count!

In other words, you will often see this in hand-written web applications:

https:///www.example.com/webapp/getfile.php?fileid=5121

This is obviously better than having file="\path\to\file.txt", but at least 90% of the time there is no access control on fileid, and every user can browse every other user's files by simply incrementing and decrementing 5121 to 5122, 5123, etc.

I have included an explanatory video of this amazingly complex hack below! :>