Application Development - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Application Development


Hacker Log: Pathway to Successful Site Attack



 By: Jeremy Poteet
2002-12-02
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Application Development story.


  Table of Contents:
  1. Hacker Log: Pathway to Successful Site Attack
  2. ' Page Two'

Rate This Article:
Poor Best
Hacker Log: Pathway to Successful Site Attack
( Page 1 of 2 )

A few fairly simple practices would have prevented my successful attack on eWeek's OpenHack site.A few fairly simple practices would have prevented my successful attack on eWEEKs OpenHack site. The bottom line is that application security can be attained, but it must be consistently applied and methodically checked to be effective.

Rather than focusing on one of the five OpenHack challenges presented by eWEEK, I decided to try to find any security problems I could.

My attempt to hack the site began by making a quick pass through the Microsoft Corp. and Oracle Corp. versions of the OpenHack application, both to get an idea of their scope and an overview of their architecture.

The first decision I made was to determine which application would be more vulnerable.

Resource Library:

While registering for an account, I noticed some inconsistencies in the Oracle version, where nonrequired items such as "title" generated unexpected error messages. This is not a security hole per se, but it did indicate a lack of consistency, which I felt was the most likely avenue of vulnerability in an application with the security attention that this one had received.

After using the Oracle OpenHack application for a few minutes, it appeared that the application used a common routine for conducting field input validation. I began looking for fields that stood out as being different, in the hope that one or more of these fields might have been overlooked or that the standard checks might prove ineffective.

The OpenHack application is small, and the list of interesting fields was quite short. These included a few hidden form fields, some ID numbers passed as query parameters, a URL field and a set of radio buttons.

The first field I began evaluating was a hidden form field for user identification that appeared when editing an account.

The application contained a label that stated: "(User ID cannot be changed once an account is created)." I changed the hidden form field to be a new user ID and hit the submit button.

The application processed my request and changed my user ID to the new ID. I logged out and tried logging in with my old ID. That ID was no longer known to the application. I logged in with the new ID and my original password. I was then logged in as that new user. I repeated the process and changed my log-in ID back to the original state. While not one of the program challenges, I reported this to eWEEK as a bug in the intended use of the program.

I then began thinking about the fact that the developer had not checked whether the ID had changed. I believe this was due to the fact that the same screen is used to both add and edit existing users.

Although it can be done securely, using the same screen to conduct two tasks does place a higher level of responsibility on the developer to ensure that the logic is appropriate in both cases. It seemed as if the developer had not fully expected the field to be changed in the case of the edit scenario.





  Reader Comments: Hacker Log: Pathway to Successful Site Attack
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Application Development Articles          >>> More By Jeremy Poteet
 


x}r6*(gL=RJv,ki;SDHbL\%?[%3nBKLfIlKh4F{{~$riOH1%3t;D{{}.ЇP|oS/92t D',{/BrM7JQ߸+ZVH+(.գQ[zOa`%pfQUrnOgsKߺnZ:9?nΐ}1fP+M~(#3hؕΚgxg^uܜ<_sܴ/O7=rֽ&OVY3 a ɗVkupsO{uH0|kh2`=r8LwjT ?vOZd[W/'$'MDO0o-Yn]H.)MT|Y|ěy#0ri4(.ߦAf@w - :svf5HZZR G/<@'D97fMs,eg{0AM)61tk 3!RBʼۤ%/^(P%!P샖_.[ jFTwIQQ#w{̈_"ʥcc^IcnFsY Y|48߇כUsNVVt];7eяzZTpx=i׭Sһ^[0*>c]g%",QqsuTSt*Zl:??J jGExQѯ+&rO f[Ԗ-Pò˔A ><f NQ'}5>m;4}t>჎$ticŦh4@MMrӇ!L w|hx: C 00gw9&ztH۠h&r<5$'ʦMf@B9{ǻޚ~(w z7t( u,/{@`\@Z8`$8ʼ }¢8sB>ȁ{0g`sDowiC1QB\jC8dN˵K }*P cRRP$C_]HPw9J B!\0HV0(VFZzGBjK%6Os@PG҅3qjP*τbZ z)0ٜʬ$5MGѺń(VFNl(0Vf)7l{`(`\Pe?jISJEװ DؙZU{gm1JhQ˸>q,?XĞ-\FCZ\Saוּ.JM!bd>n'L[!BD+ه0`M EDN6R^-!z0iTҗKJAUc/`k@Lf2,rƎe9لAٌ 4]}ZjtL{ \ipf^DZiIf~~~0*Ly.J?}굍VN0\?@R)Ö13ghim&{ǙXT'/ł\PZr>r+b"[8:T:$fC 0`q0$0oҶ@%УpӞrFVyUB濚?O=~T+BZ=N QQT*8Y+0yϹoSO@H.Ax /OqQo>+vo?SMwK\ >#]\aQaSƖ]4FXXoH]M;H̎OƚR*%)ϐPc0uKTNjZ0=: ͼz4_?!'j瞏+ӥ ,ć# 4k 0Y[ ⺪TjՂʾ_YiW{%|h#Q `! Kx{ZCA;eSt}tq@l#RaCݜ5m"uy@VIJXhQwl\ڡQm(}nq&-nov=OojA-rF7=_`%to@șY!7G:eۤs:n&2006m48nTMFz֏5CKwD!mC@ }^9`R4c-ɅHgZM⪱=C٠<mFpv~[; ºUXȬe`|]L($T0r$ ǀzB:q]]4?GG:KEP ` bT1 _RJMQ6=#ijIəπ/QIQ):*9Q{_Zakѷo9Aߐ>O1Ok7tExW(hLVfsF;t/0?xԾhz?"i^;7*o <"HtSOkԛC25 &r֚SE[@qLӖ'>fax!w-08D@ISL&M([I;`dea#ݒ:p<5GK:)!OOp|Nh'I^VR6T$4%!44QLNbC]A+Cg һj^nOpVHp._xvI~%h dgKU 3 KqkP I"+ `-;|C?SJ[L>XkI-jշɫ؉\lj9l0 Zta^CrWkb~]ȩZU$}ݝf0iۣriɸ@7Yud3D?ye1}doxzoo=إ&~=*~OO4]f+wB%-JK{%nYhr;DҒ%E,qQ#{ GXHڃ}co D:*p&޸c \zQc%F}?^SϗIOg 4˼gF.o].}N;.Q҂.?B*֠"]o"ax"5ފH8"7 gH{;hyP0PW8$̌9^`.s~9o"}ό gҡm[jLqyo>N@9\≮ة+-bqGd,23GPs$y4mtH#}4o,<$Jh/K/+ e&ļT>^ M[rc|2ab7Lސ%;3 F* end^r,v8'] $fG'1~y/n!ϳ)Lܹj ՄHLX@-8 rF6|p4ub"qP< ގb;ˌr7-{:*bb (T];& b%9,xDdId+A$e%ƐވArK)qmZ,jq^:ptjxW]MENC(˯<{Obi^S1209zؠnQ/ yמ 9 !qVJV2kxeDܼA""~$]ZlhI'Њb'nA/n+RIn$vwRE<ƏXf#ԛLjW !n朕Mx5e\SK!zҧƁU DIjjM)Bc@,*9|YYNRЗ2.8wJ45%S4d؝_Ya]|~ K*ɳx=0>n`FW0{!%N0nRȋk4 O7-ўFPd f }-.{IrتǍmjCnCW"a<0[gLl9tED łZR34/LG\|49`v}"؜a_KL5^̖\Zy).kG*`[ 6p1xo}&t,ñpn.'o1Lt9Xk8X~=jt[bʧ\%9S0tt Yg5N1!DN uH"yC_: "n@^z}:$E_*@DRt}Fa={jЯ^O},ezتڗvwO2nT٣g#Uf_?fhwLCpzQgRK"Qjā#wHI8o|2!G*tydP=Xàl=PȪB7{7đ|b'Ko=I}6|_Bܷ()妾46|iZSXhD?2s/N\})cmMmqp>'>69 dk\7VW980e9҃V»wrl4ş-#{ r,㢲\O5p_uyB5/>A'5Os9›DL1I,B( C-𛷿c*d;1AL%Ij~ж}A˽=V4 T mY[`}XE0m-mYޣ3玮{U±ZZ$2Ԝw>#ozp[y{¡Hj|!!3ZJD:`@i.⌉fnmO-%sfI4p7DΞXWȓwaKǠK|އO 8WF? _z⥽^Vxq47'[3ɗy\ 'ɫCtXx!ZpP]}zUcyct\\5%E#a;~=⭱{#L4я" {vho3UӆgZP``%/ Z ,4$qHaN&W=kqԧ a* 'y{DdbZ{4\S\0k[o01 7v.F[zL\fMQXcJ:*9s/STC䉯=Z" ~i V x#@{5E:= f|'!FZYZsʉmOvxiTEW#B7X)zW$e _Mt,am=)ȁ.G*Dz'^tSF `7%0-'I]I a!/(!/Dn~aI{5]&sϘ$y9quMMm&^ʷ ka)bl\M!'p.d5ˋAE! :r,H ru'⺭8Κm#xZlSKMµ3Aʥ 8Iuף:̹O$ND0ۆU 2; JI-Gn贇3ܹGVRѪErYjٖsyr >=sP=Ӓ"^GlۏTҊj9Y 44Ra)zd1m;%1Jt`\lGN$(bX ~-=V9}0m˖C0UzpW}CKk)qII $Nd0޻K{IV^@96YlnGt1e+vl"]%MwKTw|{HI -gwqʋ{^n9R==Z<-XNYql[.04%n'S肜nMPxDsq߶~mX W"гr-d+nO5q5YSg :{ᛂrPZ-e5Fw_ 6a^zGZq!IG_>xAfaX4"&s'?k\vD _K_!0 V8 sF@Yj$GP56:inZl.Z~뺇V Y>3G}m" ;fo/^7~ANxl0Wl  [z.p5:0[T>^!& }C-l \Zs4cϷzeO)Lrn_fÐs{VVEDͤ"c*41GJ[#}~1&giBE< ,i O 5" 蛃n#B s<3DD^ôG͈֜ )9X :s@>uWLQXj*{3wأ4ϓ/ >0/cD@Q:CWU T,G,(?B5DSJn67Xp_ZŹ3g4:`F" N-x})lH < 23LkR>ɖàzEQp#ߛSg0Y"*[7gΥi@EZ||L ]ǒ 4B1hVؘe ?2~X׻Ss,0(-ŌCZQJФ*t!dW`cU-%N+_7)^; Ͳgb8~E VH+^@03:%H? &O=lFLnr5WWY4uEz{'~{I[vq\>5ڧ_;?ϴ/3vzƇ^Fg(_dٮdv2t2Ӂw2dg(2ϡj9.~QJxdR$W0'f[ 3$}oAD1KAA0_ Gz‰nQ$/e&o~08i04Aۓ{ݯ].6ppSh7=pK|􋧎` nsOkr>urxvY^][;X;Yo[췡^2<) O݁σfţu>Tl<-!5DQ3[ ňC?s Hz7(,+O7 lc}pWu}ټ\5߷C{>'K_u}ςoDB$p G;R+,^ ,>O1DZ= jhN_i{N|7q 1Y&ƎIΝrQӊj~JR}'\#aFAd`ATMVYI0ZYrF(RB4|;یW)57tCs1qN@U}C 1,ybh 6X2CXSXnY{qer&zu h$.7=k"6DwΖb;j9.KPRJVm.Q ?n`n6{to4Zdt;BI<ŗ-<>,R52G$Yh,XoͨT*L[K |IKڼAM"Kd7-YݨoˊLsӃm{f*i/ɻ?Bo X)Ns'|omW|B,[kl`Iv0~N]V0N@9DePޙix9ǓiUhHl;:d2֭kc'p' !MX03 <ձ wO`7G}L\}d{Goڇr.H|n4~Uf2{M{:d M(IS`"r:Y W96-  `zmeFiV9DR*,&f , ~sf_N[QK.9Buz Ϸ;<v7sCk_2ҵe>vį-ǬyvJ^S O3й?-{ׄ/e;;]>,{QAbf]s:#vAѺ V7"aa^n1n,ـ9@s;=*.uf94l#* XGڢFMQaW:~i`PG1Ǹ 0tcf7^?Wg[8KY'}d.GDI qk,Ma4,Lb5"[]QI(Vxph;?2>A wVǰ.X2!&ۅ7O80Ux|-h\};}r,s0#ŸEr b4GjVƋkd'KWܱ v&12%o,gkV"F깘 #gyAӯ3v=ǘk mr?u,r?s\,C dYVc.G\L*@=փ W1`#hxj<nRh1)Lb'kIɻ#795I }˦N܌aBbr L% s^޳h|'/bA-r*r*]xD4;NbŠbiOR<'\+ SSq|h܉7,{ٗΚCRI>Qmv<Vyzھ|Cosganm߄;l| n%96G\[ P %VL,