LogSnare: testing IDOR, broken access controls, and logging in Go

LogSnare

LogSnare is an intentionally vulnerable web application, where your goal is to go from a basic gopher user of the LogSnare company to the prestigious acme-admin of Acme Corporation.

The application, while hosting multiple vulnerabilities, serves as a valuable educational tool. However, the real lesson to be learned here is how to prevent and catch these attacks by leveraging proper validation and logging.

After logging in to the demo application, in the top navbar you’ll see a validation toggle that allows you to toggle security controls in real-time.

Most people don’t realize, IDOR vulnerabilities are some of the best opportunities for logging. This is because in most cases, a user will never “accidentally” trigger an IDOR. IDOR vulnerabilities are typically achieved when a user asks for resources outside their allowed interface.

Attackers abuse web applications by asking web servers to return resources the user may not have access to, and this application hopes to serve as educational resources on how to fix, prevent, and log these types of security events.

Here are some example log outputs from the application when validation is enabled.

{"message":"user is trying to access a company ID that is not theirs","program":"log-snare","version":0.1,"username":"gopher","eventType":"security","securityType":"tamper-certain","eventCategory":"validation","clientIp":"172.17.0.1"}
{"message":"user is trying to enable admin, but they are a basic user","program":"log-snare","version":0.1,"username":"gopher","eventType":"security","securityType":"tamper-certain","eventCategory":"validation","clientIp":"172.17.0.1"}

docker exec -it <container_id> /bin/bash
tail -f logsnare.log

Install

Copyright (c) 2024 Erkin Djindjiev