Authorization 06

Bookmarked!

This exercise is one of our challenges on Authorisation issues

PRO
Tier
Medium
< 1 Hr.
13938

In this lab, you will register an account and then use a mass-assignment vulnerability to join "Organisation #1." By understanding Ruby-on-Rails conventions and the relationship between User and Organisation classes, you can manipulate the organisation_id field to change your assigned organization. Rails uses a convention-over-configuration approach, making it easier to guess class names and attribute names, which can be exploited.

You will begin by examining the URL structure and Rails' automatic mapping of models to controllers. Then, you will test for mass-assignment by intercepting a registration request and modifying its parameters. By adding an organisation_id field with the value of 1, you will successfully join "Organisation #1" and obtain the key for the exercise. This lab demonstrates the importance of understanding and securing mass-assignment vulnerabilities in web applications.

Want to learn more? Get started with PentesterLab Pro! GOPRO