Insecure Direct Object Reference Bank Challenge(银行不安全的直接对象引用)

题介绍

这个题需要注册一个个人账户，并且把个人账户存款增加到大于5000000

功能实现

这个题有很多过程，注册、登录都没有发现安全问题

在查看个人存款功能时

POST /challenges/1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00cCurrentBalance HTTP/1.1


accountNumber=2

发现当前账户id是2，自然想到还有个账号id=1，发现id=1金额比较多

在看转账功能

POST /challenges/1f0935baec6ba69d79cfb2eba5fdfa6ac5d77fadee08585eb98b130ec524d00cTransfer HTTP/1.1


senderAccountNumber=2&recieverAccountNumber=1&transferAmount=500000

校验了转账的金额必须大于0 ，发送者余额必须大于转账金额

String senderAccountNumber = request.getParameter("senderAccountNumber");
log.debug("Sender Account Number - " + senderAccountNumber);
String recieverAccountNumber = request.getParameter("recieverAccountNumber");
log.debug("Reciever Account Number - " + recieverAccountNumber);
String transferAmountString = request.getParameter("transferAmount");
log.debug("Transfer Amount - " + transferAmountString);
float tranferAmount = Float.parseFloat(transferAmountString);

//Data Validation
//Positive Transfer Amount?
if(tranferAmount > 0)  //转账金额为正 
{
    //Sender Account Has necessary funds?
    float senderFunds = DirectObjectBankLogin.getAccountBalance(senderAccountNumber, applicationRoot);
    if((senderFunds-tranferAmount) > 0) //余额不能为负
    {
        //Check Receiver Account Exists
        try 
        {
            float recieverAccountBalanace = DirectObjectBankLogin.getAccountBalance(recieverAccountNumber, applicationRoot);
            if(recieverAccountBalanace >= 0)
                performTransfer = true;
        }
        catch(Exception e)
        {
            log.debug("Reciever Account does not exist. Cancelling");
            errorMessage = bundle.getString("transfer.error.recieverNotFound");
        }
    }
    else
        errorMessage = bundle.getString("transfer.error.notEnoughCash");
}
else
    errorMessage = bundle.getString("transfer.error.moreThanZero");

问题是没有校验转账发送者和接收者，导致任意添加转账的发送者和接收者

解题步骤

将接收者recieverAccountNumber 修改为自己id 即可

总结

不要信任客户端传递的数据