This code results in a message box containing hello, world. However, for further exploitation, the attacker could post a script that writes an invisible element—such as a 1x1 transparent GIF—gathered from a remote server and passes CGI parameters that contain cookie/session information. (The server would ignore them, but they would be posted in the log file.) You can include scripting in a page in numerous places. An exhaustive list is not appropriate in this document. | |||||||||||||||||||||||||||||||||||
Bug Output | In the first case, a message box displays when a user views the page. In extended cases, the user sees nothing out of the ordinary, but information, such as session information, is leaked to a malicious user. |
URL | selectflowers.php |
Bug Type | Validation Tampering |
Description | To ensure that users choose appropriate input for the quantity of flowers to purchase, the Input field on this page calls a JavaScript function to validate input whenever the focus on the field is lost. Removing this validation allows an attacker to enter any value he likes into the field. The field is not rechecked when the form is posted. |
Repro Steps | Save the page to the local machine and edit the source. To remove the validation, either delete the body of the checkqty function or the onBlur action of the Quantity field. Finally, change the form's action to an absolute URL. Save the page and reload it into the browser. You can enter any input into the field (even SQL injection is possible), but the easiest way to exploit this vulnerability is to select some flowers and enter a negative number as the quantity. Submitting the page and navigating to one that shows the cart's value (either the Flowers/Arrangements Selection page or the Checkout page) demonstrates the total as a negative amount (the cost of items multiplied by the user's input). |
Bug Output | A negative value appears in the cart's total, but there is also the potential for an SQL injection attack on the INSERT statement executed on the server with the data provided from this input. (It's much harder than the negative quantity exploit.) |
URL | selectarrangements.php |
Bug Type | Validation Tampering |
Description | To ensure that users choose appropriate input for the quantity of arrangements to purchase, the user interface provides a drop-down menu allowing the user only to select quantities from 1 to 10. However, an attacker can modify the page and insert his own values that are not validated on the server. |
Repro Steps | Save the page to the local machine and edit the source. For one of the Select fields, modify an existing option or add a new one. Finally, change the form's action to an absolute URL. Save the page and reload it into the browser. Via this new option, you can now post any input (an SQL injection exploit is even possible), but the easiest way to exploit this vulnerability is to use a negative number as the quantity. Submitting the page and navigating to one that shows the cart's value (either the Flowers/Arrangements Selection page or the Checkout page) demonstrates the total as a negative amount (the cost of items multiplied by the user's input). |
Bug Output | A negative value appears in the cart's total as in the preceding example, but there is also the potential for an SQL injection attack on the INSERT statement executed on the server with the data provided from this input. (That's much harder than the negative quantity exploit, though.) |
URL | showdetails.php (called from selectflowers.php and selectarrangements.php) |
Bug Type | SQL Injection |
Description | By modifying either the type or id CGI parameter, the attacker can change the SQL query. |
Repro Steps | Rather than modifying how the Calling page (selectflowers.php or selectarrangements.php) sends data to the pop-up window, go to the Show Details page directly by entering it into the main browser window with some relevant parameters (for example, showdetails.php?type=flowers&id=1). Append the string <sp>or 1=1 --<sp> to the end of the URL, and all the flowers' details will be displayed on the page. However, this information isn't very useful, so we modify the query to select information out of a database table that we shouldn't be able to access by appending the following to the original page request: <sp>or 1=2 union select password from users --<sp> |
Bug Output
The output from the SQL query is either a list of flower/arrangement descriptions or other information from the database.
URL | search.php |
Bug Type | Hidden Field Manipulation/Directory Traversal |
Description | To help the search component format the page so that it looks like part of the site, two hidden fields specify the header and footer to apply to the results. You can modify these fields to point to other files on the file system and include them in the output. |
Repro Steps | Save the page to the local machine and edit the source to set the field(s) h and f to point to alternative files on the server. Save the page, reload it into the browser, and perform a search. The files will be included in the output. |
Bug Output | On most occasions, the files that h and f point to will be shown in the browser window. However, sometimes the browser can't understand the output and will display nothing, even though the output is still available by viewing the source of the page. |
URL | saveuser.php (called from register.php) |
Bug Type | Buffer Overflow |
Description | When a user forces more than 50 characters into the Card Number field on the Register.php page and submits it to the server, the user is redirected to a Buffer Overflow page. We use a descriptive page rather than an overflow because it is difficult to achieve a real overflow in a PHP, and an actual overflow would most likely stop the server and interrupt other users' testing. |
Repro Steps | Save the page, remove the maxlength attribute from the cardnumber field, reload and post the data, or use a direct post request like in the direct request vulnerability. |
Bug Output | The user should be redirected to the Buffer Overflow page. |
URL | checksession.php/login.php |
Bug Type | SQL Injection |
Description | An attacker can utilize SQL injection in the Login field to allow him to log in as the first user in the database. |
Repro Steps | Insert the string ' or 1=1 --<sp> into the Login field. (Leave the Password field blank.) |
Bug Output | The login/password will be accepted, and the attacker will be logged in as the first registered user. |
URL | account.php (calls userdetails.php) |
Bug Type | Session Hijacking |
Description | The sequence numbers generated for a user's cart and a token generated to "remember" them whenever they return to the site are easily guessable. Although the cart number is a temporary cookie that is stored in memory and deleted when the browser is closed, the session cookie that is used to remember users is stored in the local file system and can easily be changed. |
Repro Steps | Use the Flowershop application and register a user to create the required cookie. On the local file system, open the cookie file (usually in c:/documents and settings/%userprofile%/cookies/%userprofile%@hackerland). The second line in the file is the session value of the user. Changing this value allows a user to revisit the site and masquerade as a different user. |
Bug Output | If a valid session is chosen, the user will be able to use the site as another user (purchases, details, and so on). If the session is invalid, the application will ask the user to log in. |
URL | delivery.php |
Bug Type | Forceful Browsing |
Description | After the user has selected the flowers and arrangements that he would like and navigated to the Checkout page (registering himself or logging in as an existing user), he can jump directly to the Delivery.php page and bypass the payment mechanism. |
Repro Steps | Select some flowers or arrangements and proceed to the Checkout page (either with an existing user and logging in if necessary or registering first). The user can then jump directly to the Delivery page without providing payment information and with no error being raised. |
Bug Output | A payment received message appears and the flowers/arrangements purchased is printed. |
| |
No comments:
Post a Comment