EC Council CASE.NET_Common Application-Level Attacks_lab4.Insecure Direct Object Reference_資料庫流水號直接遞增1或者識別號連續性的危險性
攻擊者利用Web應用程式本身的“物件存取功能"任意讀取不該檢視的檔案"
比方在網頁網址欄位的一些流水號id
物件可能包含像是網頁、圖片、檔案等等
(Path Traversal是其中一種)
一家XXX銀行網站管理系統
用戶登入
User Name: tester1
Password: test1
查看一下特定某筆交易款項資料
帳號ID:1144229904
Step 2: Click Get Account Details button.
Account details will be displayed.
看別人的交易詳細資料呢
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | using System; using System.Collections.Generic; using System.Configuration; using System.Data; using System.Data.SqlClient; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace Labs.Lab4 { public partial class Transaction : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } protected void BtnGetTransactions_Click(object sender, EventArgs e) { var HTML = string.Empty; if (Txt_accno.Text != null) { string strcon = ConfigurationManager.ConnectionStrings["accounts"].ConnectionString; SqlConnection con = new SqlConnection(strcon); SqlCommand cmd = new SqlCommand("Select Firstname, LastName, mobile, email, Accid,AcountType ,AccNumber, AvailableBalance from accounts a inner join BankDetails b on a.uid = b.accid where b.AccNumber =@uid", con); SqlParameter uid = new SqlParameter("@uid", SqlDbType.VarChar); uid.Value = Server.HtmlEncode(Txt_accno.Text); cmd.Parameters.Add(uid); SqlDataAdapter da = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); try { da.Fill(ds); } catch { ds = null; } if (ds.Tables[0].Rows.Count > 0) { HTML = "<h3>Account Details</h3> </br><h4><table cellpadding='10' style='colspan=30px; color:black'><tr><td>Account Name:</td><td style='padding=15px'>" + ds.Tables[0].Rows[0]["FirstName"] + " " + ds.Tables[0].Rows[0]["LastName"] + "</td></tr><tr><td>Account Type:</td><td style='padding=15px'>" + ds.Tables[0].Rows[0]["AcountType"] + "</td></tr>" + "<tr><td style='padding=15px'>Account Number:</td><td>" + ds.Tables[0].Rows[0]["AccNumber"] + "</td></tr>" + "<tr><td style='padding=15px'>Currency:</td><td><b>$</b></td></tr>" + "<tr><td style='padding=15px'>Available Balance:</td><td>" + ds.Tables[0].Rows[0]["AvailableBalance"] + "</td></tr></table></h4>"; } else HTML = "<h3>Invalid Account Number !!</h3>"; } Accdetails.InnerHtml = HTML; } } } |
OK 資料庫中是存取
這兩張table的關聯結果
可能GUID之類的不要讓人可以輕易預判的到
Ref:
https://spanning.com/blog/insecure-direct-object-reference-web-based-application-security-part-6/
留言
張貼留言