Authorization 06
Bookmarked!This exercise is one of our challenges on Authorisation issues
In this lab, you will register an account and then use a mass-assignment vulnerability to join "Organisation #1." By understanding Ruby-on-Rails conventions and the relationship between User
and Organisation
classes, you can manipulate the organisation_id
field to change your assigned organization. Rails uses a convention-over-configuration approach, making it easier to guess class names and attribute names, which can be exploited.
You will begin by examining the URL structure and Rails' automatic mapping of models to controllers. Then, you will test for mass-assignment by intercepting a registration request and modifying its parameters. By adding an organisation_id
field with the value of 1, you will successfully join "Organisation #1" and obtain the key for the exercise. This lab demonstrates the importance of understanding and securing mass-assignment vulnerabilities in web applications.