This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP ModSecurity Securing WebGoat Section4 Sublesson 02.2

From OWASP
Revision as of 07:47, 21 October 2008 by Stephen Evans (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

2. Access Control Flaws -> 2.2 Bypass a Path Based Access Control Scheme

Lesson overview

The WebGoat lesson overview is included with the WebGoat lesson solution.

Lesson solution

Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy

This WebGoat lesson demonstrates access control bypass: a file from a dropdown list is chosen and sent, but intercepted in the web proxy and substituted with '../../../conf/tomcat-users.xml', which reveals tomcat users and passwords.

The solution to this WebGoat lesson is to prevent directory traversal.

Implementation

The lesson is mitigated in the ruleset 'rulefile_02_access-control-flaws.conf': 

  # Lesson 2.2; directory traversal in 'File' parameter of POST request
  SecRule &ARGS:File "!@eq 0" "chain,log,auditlog,deny,msg:'Path Traversal Attack', \
tag:'PATH_TRAVERSAL',redirect:/_error_pages_/lesson02-2.html"
  SecRule ARGS:File "\.\.[/\x5c]" "t:urlDecodeUni"
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_02.2&oldid=44195"