Storing neural networks in a table-network DBMS HTMS has obvious advantages.

Firstly, the ability to store a large number of similar neural networks that differ in the parameters used in training – the number of epochs, the learning rate and the bias value and, accordingly, the weight coefficients, which allows you to choose the best one after a set of actions to check them.

Secondly, different neural networks can be stored in the same HTMS database, the choice of which is made depending on the rapidly changing environment when solving such problems. HTMS, due to its high performance, which, in turn, is a consequence of the tabular network data model, will provide fast loading into RAM of the currently needed neural network.

Thirdly, the use of an adequate DBMS can help for scientific and educational purposes.

Fourth, the features of the tabular network data model and its implementation in PTIO make it possible to efficiently store in the database and read from it neural networks with tens of thousands of input and hidden nodes. for example, the approximate size of a database for 1 SME with 1000 input nodes and 1000 hidden layer nodes would be:

99% of what I do is using avoidable mistakes. Today I will talk about IDOR, one of the most common and easy-to-use web vulnerabilities. With its help, you can see other people’s photos on a social network or get a discount in an online store, or you can earn thousands of dollars in bug bounties.

Using practical examples, I will show how hackers find and exploit business logic errors in applications and give practical advice on how to fix them at the development stage.

IDOR – what is it and what is it eaten with

I’ll start with the basics. The web application manipulates certain entities. For example, on the website of an online store, these are products, users, baskets, promotional codes, etc. Each instance of such an entity is treated as a separate object, which is assigned its own identifier. ID 483202, pid 6260 – each application is filled with these values.

It is assumed that the user manipulates objects through the interface, within the logic of the application. In this case, the application shows only those objects with which the user is allowed to interact. However, an attentive user will notice the identifiers of these objects, for example, in the address bar. A hacker will definitely try to change them. So you can access other objects directly, bypassing the application logic and despite the prohibitions.

This vulnerability is called IDOR (Insecure direct object references) – an insecure direct object reference. It occurs when three conditions are met simultaneously:

the user can find a direct reference to an internal object or operation;

the user can change the parameters in this link;

the application grants access to an internal object or operation without checking the user’s rights.

Let’s take the link to this article as an example: The identifier 686464 is included in it, and it can be replaced by another number. Two of the three conditions are met.

Going through the numbers, sooner or later you will guess a link to someone else’s draft, for example, this one. If such a link opens, congratulations, you have found IDOR. On HabrĂ©, this does not happen, since the third condition necessary for the appearance of IDOR is not met. The correct authorization mechanism works on HabrĂ©.

Changing a URL is a classic example of an IDOR, but vulnerable identifiers aren’t just found in the address bar. If we look at the bug reporting statistics on HackerOne, it turns out that IDORs are most often found in the REST API, GET parameters, and the body of POST requests.

Risks and Consequences of IDOR

The danger of vulnerabilities of this type strongly depends on what data and what operations with them are available to the attacker. Conventionally, IDOR is divided into four types (in practice, they often intersect):

1. Gaining unauthorized access to data

Sometimes direct object references give access to the contents of databases: individual fields or internal identifiers that allow you to prepare SQL injections.

I recently encountered a similar error on the portal of a new social network. When going to the GET /feed/gallery/uuid endpoint, the server returned users’ personal data: phone number and email address.

2. Performing unauthorized transactions

By changing your user ID or API keys, you can access paid app features and even run commands as an administrator.

In this example, without authorization, the DELETE /accounts/{uuid} method is available, which allows you to delete an arbitrary user account by specifying a valid UUID. As a rule, this identifier has a high entropy and it is not easy to brute force it, but if such an IDOR is combined with other vulnerabilities, it is very dangerous.

In this case, unauthorized access to a number of endpoints containing the page_size parameter was possible on the resource under study. It is responsible for displaying user pages. The correct modification of the request allowed mass and without authorization to upload information about the user, including the UUID required for the operation of IDOR.

3. Managing Application Objects

Some IDORs allow you to edit data within the application. This vulnerability could allow an attacker to modify session variables, such as escalating privileges or gaining access to restricted functionality.

This is a screenshot from the pentest of one of the delivery services. It turned out that an API intended only for company employees is available from the application. IDOR gave the client the full functionality of an employee, such as viewing the status of vehicles and the ability to create new accounts.

4. Direct file access

This type of IDOR allows you to manipulate the resources of the file system: upload and edit files, download paid content for free.

Once such unauthorized access was found on the website of an online school – there it allowed access to curricula and lessons. To download the content, it was enough to follow the routes: /api/0/curriculum/lessons/ and /api/0/files/<id>/content.

Leave a Reply

Your email address will not be published.