globocom
Broken Access Control (resolution)
This solution refers to which of the apps?
A/M# - owasp-top10-2021-apps/a1/tictactoe
What did you do to mitigate the vulnerability?
The app had security flaws which allowed an attacker to see and manipulate other users' private statistics. To mitigate this vulnerability, "req.body.user" was replaced by "res.locals.user" within the token verification function, because before the correction the user was extracted using "req.body.user" which could be manipulated by the attacker as he had control over the body of the request. As for "res.locals.user", "res.locals" is an internal structure of the server that is more difficult to manipulate externally. This way, the attacker is no longer able to see and manipulate other user's data.
Did you test your changes? What commands did you run?
In the first image, the attack narrative comes to fruition, as it is possible to see and manipulate the data of "user2".
In the second image, the attack narrative does not materialize, because when trying to see and manipulate "user2's" data, the attacker results in only his own statistics, which would be those of "user1".
