Skip to content

Commit

Permalink
[DOCS] Update A5 Attack Narrative
Browse files Browse the repository at this point in the history
  • Loading branch information
Krlier committed Jan 10, 2019
1 parent 5388a3d commit 6a5ca94
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 12 deletions.
23 changes: 11 additions & 12 deletions owasp-top10-2017-apps/a5/ecommerce-api/docs/ATTACK.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,33 +9,32 @@ If you don't know [secDevLabs] or this [intended vulnerable web application][2]
In order to better understand how this API works, two users, `user1` and `user2`, were created as shown below:

```sh
$ curl -s H "Content-Type: application/json" -d '{"username":"user1","password":"pass"}' http://localhost:8888/register
$ curl -s -H "Content-Type: application/json" -d '{"username":"user1","password":"pass"}' http://localhost:8888/register
```
```sh
$ curl -s H "Content-Type: application/json" -d '{"username":"user2","password":"pass"}' http://localhost:8888/register
$ curl -s -H "Content-Type: application/json" -d '{"username":"user2","password":"pass"}' http://localhost:8888/register
```

<p align="center">
<img src="attack1.png"/>
</p>

The users created above are registered on MongoDB, as we can see from the image below:
The users created above are registered on MongoDB and we can get their `userID` through the curl command:

<p align="center">
<img src="attack2.png"/>
</p>


NOTE: We could also get an user's `userID` through the command below, which sends a POST request to the `login` route:
```sh
$ curl -d '{"username":"user1","password":"pass"}' http://localhost:8888/login
$ curl -s -H "Content-Type: application/json" -d '{"username":"user1","password":"pass"}' http://localhost:8888/login
```
```sh
$ curl -d '{"username":"user2","password":"pass"}' http://localhost:8888/login
$ curl -s -H "Content-Type: application/json" -d '{"username":"user2","password":"pass"}' http://localhost:8888/login
```

<p align="center">
<img src="attack2.png"/>
</p>

## 🔥

Now, having the user's `userID`, we can verify that the route `GET /ticket/:userID` does not validade if the request was made by the user with the corresponding `userID` or someone else, as shown by the image:
Having both `userID`, we can verify that the route "`GET /ticket/:userID`" does not validade if the request was made by the same user or someone else without the proper permission, as shown by the image:

<p align="center">
<img src="attack3.png"/>
Expand Down
Binary file modified owasp-top10-2017-apps/a5/ecommerce-api/docs/attack1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified owasp-top10-2017-apps/a5/ecommerce-api/docs/attack2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified owasp-top10-2017-apps/a5/ecommerce-api/docs/attack3.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 6a5ca94

Please sign in to comment.