Solution apps a1 tictactoe - Broken Access Token #640
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gustavocovas
added
mitigation solution 🔒
|
Good work, @briggetteroman! Checking that the request user matches the session user fixes the broken access control. 🚀 I would like to suggest you to try and simplify the code further. Do we really need to supply the user as a parameter? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This solution refers to which of the apps?
A/M# - Broken Access Token - A1 - TicTacToe
What did you do to mitigate the vulnerability?
The SecDevLab reports that the TicTacToe application presents some vulnerabilities.
To mitigate these vulnerabilities, we add a function called
verifyCurrentUserto control the user's access to their information and statistics. The functionverifyCurrentUserverifies the information about the user from the JWT token (usernamein the section payload, as we see in the image below) and compares the valueusernameof the JWT token with the information filled in the parameteruserfrom the request.Did you test your changes? What commands did you run?
First, we reproduce the proof of concept of the attack. Then, we add a function to control access to users' information.
Reproduce the attack
To reproduce the attack, we start to create two users (
.
user1anduser2) in the TicTacToe application. Then, I login to generate a JWT token for theuser1stored in the cookie with nametictacsession. Now, we copy the cookie valuetictacsession=<JWT-token>.After that, we use the cookie value to execute the command to get statistics information, as we can see in the image below.
But, if I change the value of user parameter for
user2using the JWT token of theuser1, we get statistics information ofuser2.In the same way, we can update the results of each game using the cookie value.
Also, we can update the game results of other users using the cookies of
user1.Solution
We add the function
verifyCurrentUserto check if the current user can execute the request.Getting statistic information, we execute the command asking for
user1information using theuser1JWT token.But, if we try to get
user2information with theuser1JWT token, we do have not authorization to get this information.Updating the results of the game, we execute the command to update
user1game information using theuser1JWT token.But, if we try to update
user2game information with theuser1JWT token, we do have not authorization to get this information