How I hacked a site, and how to defend properly
I will proudly announce that recently I hacked a website and obtained some information that is very valuable to me yet I am NOT supposed to obtain. I won’t say what, where, who, but I will tell you how. Oh, and I also want to add that, out of my full honesty, it was NOT ethically wrong, and it does not harm other people. It was something that will save me time, money, and effort.
This might seem like an easy piece of cake for advanced web geeks like myself, but to many, it should serve as a good lesson for implementing security for any rookie developers or business owners. So here it goes…
There is page A, which has a dropdown form to retrieve certain records. Some records are obtainable with my login, some are not. So the dropdown is generated by a server-side script that only gives values for the records that I am allowed to get. It uses a form, with POST method submission, and points to another file on the server that processes the entries and pops them out for you on the screen… Let’s assume I have access to records A, B and C. It looks like this :
<option value=”a”>Option A</option>
<option value=”b”>Option B</option>
<option value=”c”>Option C</option>
Now, Firefox, has a very useful extension that allows you to change SELECT fields into regular text entry fields so that you can put in whatever value you need to force through. It’s called the Web Developer Plug-in. Now, the records I need to retrieve are X, Y and Z. Using the menu option Forms - Convert Select Elements into Text Inputs, I forced the dropdown options to be a text field instead of a dropdown. I simply entered X in the field, and then clicked “Submit”, and it gave me the records for option X. Same with Y, and Z.
In a nutshell, here is a diagram of this page system.
So, it’s like stopping someone from entering a secure room by NOT giving him the keys in the reception area. But the intruder has a method to obtain his own key (in this case, by overriding the form to enter any value he wants) and can enter the secure zone.
What needs to be done is this - regardless of whether the visitor has the key or not, there should be a guard in the secure room checking whether the key matches the identity of the visitor - whether the visitor is entitled to the key or not. If not, the intruder must be stopped. Here is a diagram for that scenario.
In this case, the security is actually put on the zone that should be secured itself, providing a fail-proof cloaking of data that is not supposed to be givin out to the unauthorized user. The lesson here is this : always secure the actual result-bearing page, not just the page that has the form/link towards it. And if you’re too lazy to secure both ends, secure the result-bearing page, not the Form/Link page.
Haha yeah I made that mistake back in teh days with a website I did with my buddy.. nothign serious but peopel were fucking around with it. Good pointer.
Yes, always guard the goods, not JUST the keys to the goods!
Also important would be to prevent cloaking of the user’s ID.
Funny you should mention it, I did find a way to disguise myself as another user, if I could simply get the first/last name and the username of ANY other user!. Of course, I didn’t even have to go that far because there was no further security measures to disable it anyhow.
But the best way for me to set that would be using PHP Sessions. If you want to go further, you can set a Cookie value using an MD5 has each time a user logs in, and put that hash into your MySQL’s login table and always compare values to verify the user. But PHP Sessions are secure enough.
I wonder if cookies can be faked? Cookies are, after all, stored on the client side.. some clever people may be able to implement their own cookies, extend it, or change the values of it if they wanted to… I wonder.
Wow Dave, that’s an interesting question. I will look into that for sure I’m curious as well.
Anything that comes from the browser should be treated as if it could be faked. Even if common browsers don’t have the ability to fake it, someone using CURL or some other software could find a way around it.
In the case of cookies, they are defiantly editable. FireFox’s developer toolbar has a feature that lets you add your own cookies and delete existing ones, so effectively you could use that to modify existing cookies.
HA yes, there is a function after all!!! “Add Cookies” to add your own.. WOW>
Haha jeff, I hope you’re not getting into trouble for this…!! Just kidding I’m sure it wasnt criminal or anything… I hope.
Well, if it was illegal and something he could get arrested/convicted for, he wouldnt be bragging about it on the internet….
Haha yes, NOTHING illegal! I wouldn’t put this up here, you’re right. It wasn’t a big deal. And if it was a major security issue, they would have built the site better than that!
One would hope… I remember a similar problem happened to Microsoft before the launch of live.com email - a “javascript:” pseudo-url was passed around the internet which added an option to the drop down box and allowed people to sign up for @live.com names before it was officially allowed.
Yeah faking javascript is part of the Firefox extension as well.
Of course, so far I’ve used it to test my javascript applications to trouble shoot and debug but…
This particular hack was cross-browser, it took advantage of the fact that if you for example copy-and-paste the following: “javascript:alert(’hi’);” into your address bar in any browser, it will execute the actual javascript in the context of the current page. Add in some DOM modification and you can create a way to do hacks like this out-of-the box with any browser.
By the way, have you tried the FireBug plug-in? It works well in conjunction with the developer toolbar, but it has more advanced debugging features.
yes, I do have that one, I’ve fooled around with it a few times. These plug-ins are great… One of the top reasons why i prefer Firefox over IE, obviously.. especially from a developer’s perspective.
Jeff Kee paid me $10 to leave this comment.
PS I hacked your site ^_^
Ya ya ya matt… SURE YOU DID. Please don’t try though.
Do PHP Sessions work as a good security measure? I usually do something like this …
… MySQL queries…
$user = mysql_fetch_array($result);
$session['type']=$user['type']; // user’s level of authority
$session['userid']=$user['id']; //user’s unique ID in teh table for pointing
$session['name']= $user['first_name'].” “.$user['last_name']; // save the name for any kind of displays etc.
And then each authorization page that requires users to be logged on, and at a certain security clearance, it displays the page or hides it depending on the results..
if($session['type']
well that comment got cut off but the rest of it is here.
if($session[’type’]
OK apparantly there is a protection scheme against writing out too much PHP code.. but anyhow.
I use the If statements to check the auth level and go from there.
Yes, that’s the method I use.. sometimes with more measures if necessary, such as cookies, matching MD5 hash etc.