[Owasp-testing] Content for v4?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Tue Apr 12 08:52:46 EDT 2011


Good morning everyone, I was browsing through v3 this morning and it occurred to me that an issue I've discovered in a number of apps recently isn't really covered by any part of v3 (please correct me if I've somehow simply missed the section).

The issue would fall under Authorization, maybe privilege escalation testing. I usually put it under a heading such as "Enforcement of User Privileges by Elements within the User's Control" when I prepare reports. Basically it boils down to developers hiding things from users or simply marking visible controls/elements as disabled and not performing any check server side for exercise of functionality.

In one example I had a ReadOnly account to an administrative interface where I could "setup" users. Since my account was ReadOnly the "Submit" or "Save" button on the user creation page was set as "Disabled". Using Firebug (or similar means) I simply removed the "Disabled" element on the button and was able to create new users since there was no check performed server side. The HTML in question was something like:

<input id="btnSave" type="submit" disabled="disabled" value="Save" name="btnSave">

I've also encountered similar situations where the following HTML was in play:

<div style="display:none;">

I'd be glad to write up some content for this when production of TG v4 content starts.

Rick

--------------------------------
Rick Mitchell 
Security Analyst, Security Testing and Incident Response Team
Bell Business Markets
Phone: 613-785-4019
Email: rick.mitchell at bell.ca
  



More information about the Owasp-testing mailing list