Authorization 06

This exercise is one of our challenges on Authorisation issues

PRO
Tier
Medium
< 1 Hr.
13497

Course


In this lab, you will register an account and then use a mass-assignment vulnerability to join "Organisation #1." By understanding Ruby-on-Rails conventions and the relationship between `User` and `Organisation` classes, you can manipulate the `organisation_id` field to change your assigned organization. Rails uses a convention-over-configuration approach, making it easier to guess class names and attribute names, which can be exploited.

You will begin by examining the URL structure and Rails' automatic mapping of models to controllers. Then, you will test for mass-assignment by intercepting a registration request and modifying its parameters. By adding an `organisation_id` field with the value of 1, you will successfully join "Organisation #1" and obtain the key for the exercise. This lab demonstrates the importance of understanding and securing mass-assignment vulnerabilities in web applications.

Want to learn more? Get started with PentesterLab Pro! GO PRO