Lesson Plan Title: Client Side Filtering

Concept / Topic To Teach:
It is always a good practice to send to the client only information which they are supposed to have access to. In this lesson, too much information is being sent to the client, creating a serious access control problem.

General Goal(s):
For this exercise, your mission is exploit the extraneous information being returned by the server to discover information to which you should not have access.

Solution:

This Lab consists of two Stages. In the first Stage you have to get sensitive information . In the second one you have to fix the problem.

Stage 1

Use Firebug to solve this stage. If you are using IE you can try it with IEWatch.

First use any person from the list and see what you get. After doing this you can search for a specific person in Firebug. Make sure you find the hidden table with the information, including the salary and so on. In the same table you will find Neville. Clientside Filtering
Inspect HTML on Firebug

Now write the salary into the text edit box and submit your answer!

Stage 2

In this stage you have to modify the clientSideFiltering.jsp which you will find under the WebContent in the lessons/Ajax folder. The Problem is that the server sends all information to the client. As you could see even if it is hidden it is easy to find the sensitive date. In this stage you will add a filter to the XPath queries. In this file you will find following construct:

StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee/UserID | ");
sb.append("/Employees/Employee/FirstName | ");
sb.append("/Employees/Employee/LastName | ");
sb.append("/Employees/Employee/SSN | ");
sb.append("/Employees/Employee/Salary ");
String expression = sb.toString();

This string will be used for the XPath query. You have to guarantee that a manger only can see employees which are working for him. To archive this you can use filters in XPath. Following code will exactly do this:

StringBuffer sb = new StringBuffer();
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");
String expression = sb.toString();

Now only information is sent to your client you are authorized for. You can click on the button.