So far, nothing stands out as a glaring security hazard. Upon inspection of the source code for the page, we notice that there’s a tab in the navigation bar that is hidden:
There is a hidden admin tab that is visible to users with admin privileges. The angular router, which is exposed to the client (appRoutes.js), shows us which controller is associated with each view:
In our case, we notice that the MainController is responsible for the home page. After inspecting the MainController, we notice that the following line of code sets the isAdmin flag on the client side:
Upon page refresh, we now see the hidden Administration tab:
And with very little effort, we are able to access sensitive data.
Clearly, this is very insecure and could potentially lead to critical data leaks. The proper way to protect the data is to set up the authentication similar to the validation that Universal Studios has in place for their lines. The client side can be considered to be the security guard in the front of the line. While he or she does a decent job ensuring that the typical user goes into the right line, it’s very easy to create a diversion and sneak into the express line. Without the guard in the middle of the line issuing a token to ensure that privileged users are in the right line, any user can walk straight into the ride without any questions being asked.
In order to prevent this from happening in web applications, the server (represented by the back end of the line) needs to have some way of ensuring that the person sending a request to access sensitive information has permission to do so. This validation needs to happen independent of the client.
With this being said, I’d like to pose a challenge to all the developers out there reading this. I have provided a link with the github repo for the sample vulnerable application used in this post. How would you go about fixing it to make sure that sensitive data can’t be leaked? I will be discussing best practices in future posts and highlighting insightful and creative user solutions.
All the best!