LAB 102 - Identifying Broken Object-Level Authorization Vulnerabilities
Course Number: LAB 102
Course Duration: 5 minutes
Course CPE Credits:
Foreign Languages Available:
In this lab, while authenticated as an adversary, you will interrupt the purchase process to substitute the object ID of someone else’s credit card with that of your own. A proper authorization check, if implemented, should prevent you from completing the purchase, as you should not be allowed to use credit cards that are not associated with your account.
This lab presents a challenge in the LetSee cyber range that exploits a Broken Object-Level Authorization vulnerability by allowing an adversary to charge a purchase to someone else’s credit card. Adversaries can exploit failures in complex authorization mechanisms of API-based applications by manipulating parameters such as object IDs sent in requests.