Ajax Security: LAB: Client Side Filtering

 

Stage 1 

Goal: 

Exploit the extraneous information being returned by the server to discover information to which you should not have access. 

Method: 

1. Open Firefox Developer Tools or equivalent tools to look for #hiddenEmployeeRecords


2. Enter 450000

Stage 2

Goal: 

Fix the issue so that only return results that Moe Stooge is allowed to see.

Method: 

1. Use prefered tool to modify ClientSideFiltering.jsp, please reference below source class info. 

Lesson menu item

Lesson project

Lesson source class

ClientSideFiltering

client-side-filtering

org.owasp.webgoat.plugin.ClientSideFiltering.java

 

StringBuffer sb = new StringBuffer();

 

        sb.append("/Employees/Employee/UserID | ");

        sb.append("/Employees/Employee/FirstName | ");

        sb.append("/Employees/Employee/LastName | ");

        sb.append("/Employees/Employee/SSN | ");

        sb.append("/Employees/Employee/Salary ");

 

        String expression = sb.toString();

Xpath filtering is used to prevent server sends all information to client. 

StringBuffer sb = new StringBuffer();

sb.append("/Employees/Employee[Managers/Manager/text() = " +userId + "]/UserID | ");

sb.append("/Employees/Employee[Managers/Manager/text() = " +userId + "]/FirstName | ");

sb.append("/Employees/Employee[Managers/Manager/text() = " +userId + "]/LastName | ");

sb.append("/Employees/Employee[Managers/Manager/text() = " +userId + "]/SSN | ");

sb.append("/Employees/Employee[Managers/Manager/text() = " +userId + "]/Salary ");

String expression = sb.toString();

       

 

Please publish modules in offcanvas position.