This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.2

From OWASP
Revision as of 03:51, 20 October 2008 by Stephen Evans (talk | contribs) (added content)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

2. Access Control Flaws -> 2.2 Bypass a Path Based Access Control Scheme

Lesson overview

Refer to the zip file with the WebGoat lesson overviews. See Appendix A for more information.

Lesson solution

Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy

This WebGoat lesson demonstrates access control bypass: a file from a dropdown list is chosen and sent, but intercepted in the web proxy and substituted with '../../../conf/tomcat-users.xml', which reveals tomcat users and passwords.

The solution to this WebGoat lesson is to prevent directory traversal.

Implementation

The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf': 

  # Lesson 2.2; directory traversal in 'File' parameter of POST request
  SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack',tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html"
  SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni"
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_02.2&oldid=43858"