-1

I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.

nassim
  • 1,547
  • 1
  • 14
  • 26
JGN
  • 1

1 Answers1

1

That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.

If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.

Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.

To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.

luk2302
  • 55,258
  • 23
  • 97
  • 137
  • I am already using HTTPS. but my pentester like to fix this issue as it leads to broken access control. Pls advice – JGN May 13 '19 at 00:02
  • Note that this does not at all imply broken access control. If the pentesters claim that to be the case then they do not really have any idea what they are talking about. They should be a lot clearer in what in fact the risk is and what you should do about it. The access control works as intended since a normal user can not just elevate their privileges based on a bug in your authorization code or something like that. Replaying a request operates on a different level than "breaking access control". – luk2302 Mar 30 '21 at 15:42