Privilege Escalation

[00:00:00]
>> Steve Kinney: I mean, listen, we came up with unique session IDs, we signed them. We're only gonna send them over HTTPS in production. We're done, right? We're good, right? Forgetting the fact that I have not encrypted the passwords in my database or anything like that, everything seems good. We're done, let's go home, right?

[00:00:22]
Cuz no one can get at that session now. For our next section, it's called session hijacking, right? Which I guess we technically did by manually guessing that there was someone called Admin. But just because you secured the cookie, there are all sorts of other fun ways that you can mess this up.

[00:00:44]
Usually, the name of the game in this case is something called privilege escalation, right? And escalation, yes, if you try to get yourself admin privileges, that'll do it. But honestly, it's doing anything that you're not supposed to do. This also means, we saw before switching to a different user, is technically a privileged escalation as well, right?

[00:01:07]
So the kind of high-level things is of how this works, typos aside, which is, they have some amount of access to the system. They didn't break in or something along those lines, and maybe in some of these examples they did. And then they look around for misconfigurations. If you ever go, a lot of companies have bug bounties, where it's, hey, if you hack these places that we definitely told you you're allowed to, right, and tell us before you make it public, we will give you money, right?

[00:01:43]
But a lot of times there is a certain amount of disclosure that happens afterwards. A lot of the attacks that you will see, if you read enough of these, there's a certain amount of investigation that happens. They don't just go, hey, I'm gonna do this thing, and it worked.

[00:01:57]
I mean, I'm sure that happens sometimes, but a lot of times there is a little bit of feeling around as well. You kinda look at what you get back from the API, you look for some telltale signs, right? And then you get a sense, there's some really sophisticated stuff around, instead of injecting JavaScript, you inject some CSS, right?

[00:02:19]
But that CSS might call a background image on a div that has the ID, administrator or something like that, then you can kinda get a shape of things weird. There's a lot of research that kinda goes into it as well. We're learning how to protect ourselves, not necessarily how to be either white hat or black hat hacker here.

[00:02:41]
But it is finding those weaknesses and exploiting them, and then trying to use that to kinda either become somebody else, right? And getting one of those signed HTTP only encrypted cookies into your grubby hands, or doing something with them. All right, and part of this is just, we can't guess the cookie anymore, but we can try to trick the server into giving it to us, right?

[00:03:08]
And so that either, we are gonna look at that. The other one that you will see that I would argue is not impossible, but increasingly harder, is what is called a man-in-the-middle attack, right? Man-in-the-middle attack is like, here is browser, here is server, they are sending messages, go grab the message in the middle.

[00:03:27]
Now, generally speaking with HTTPS, it is signed and you can grab a message in the middle that is encrypted, good luck. Right, you're probably not gonna be able to decrypt it, but maybe you can if they used a weak algorithm or something along those lines. But for the one that we kind of care about the most is this either idea of using session hijacking to achieve a privilege escalation in this case.