Recently, I set up a fictional Juice Shop to demonstrate an innovative isolation-based solution for protecting web applications from the most dangerous threats, as ranked in the OWASP Top 10. The Juice Shop app was created on the HyperQube test platform and is designed to be super vulnerable – with as many holes as Swiss cheese.
A short demo, the first of a series in which I attack my own Juice Shop in various ways, presents a scenario for “Broken Access Control” — #1 in OWASP’s 2021 list.
Without proper protection, in a directory traversal attack, a threat actor can modify the URL to bypass security controls and access files and directories that are exposed by the application’s backend. This method is one of the most common attacks enabled by broken access control. It is among the easiest ways to gain access to files on a server that is running an application and once in, steal data, modify files, or possibly find valuable exposed information on the backend of the application.
Ericom Web Application Isolation (WAI) is an innovative cloud-delivered security solution that isolates web/cloud applications and their APIs from cyber-threats – think of it as a “next-gen” WAF solution. WAI can be used to apply policy-based restrictions that control which links a user can reach, and what actions they can – and cannot – take. But don’t take our word for it. Check out my demo here: