HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 38 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow had an incident with an online form.
EH-Net
May 21, 2013, 05:11:19 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: had an incident with an online form.  (Read 3872 times)
0 Members and 1 Guest are viewing this topic.
p0et
Full Member
***
Offline Offline

Posts: 197



View Profile
« on: July 24, 2009, 12:34:17 PM »
Can't really divulge many details but here goes.  A company I know of has this website where you can sign in as a user or a guest.  If you sign in as a guest, you fill out some info such as name, phone number, address and birthdate.  At the bottom of the page is a register button.  If the user starts filling out the form but doesn't end up hitting register, he is able to copy the URL and send it to his other friend.  That friend can paste the URL on a different computer and see all the info that the first guy had filled out.

So the company received an email from the guy who found this hole saying that the company should know about it and patch it before he reports it to the papers. Apparently, he was able to see many other users filled out forms as well by guessing/changing the numbers at the end of the URL.

The company has been thinking of ways to resolve this.  One idea was to block/hide the address bar so no one can copy the URL.  Even if they do this though, won't the attacker still be able to go into the browser history and retrieve the URL there? 

Any insights would be great!
Logged
GCIH, Security+, Network+, A+, MCP, DCSE
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: July 24, 2009, 01:16:40 PM »
Hiding the URL bar won't deter many people at all.   Without looking at the code it's a bit difficult to see what the issue is.  

However, if I had to guess, they should incorporate session variables for each session.  They could incorporate a hidden form field called, "SessionID."  Dynamically generate this value and make it unique for each visitor.   Make sure the number is not predictable.   Often md5 hash values of various client data with a salt value is used.  Pass this session id to every page that is susceptible to the vulnerability discovered.   Make sure the page is not viewable without a valid session id.

http://www.php.net/manual/en/intro.session.php

There could be better ways, but that's the way I would do it.  Again, this is just a guess based on the information I have.

<edit> They should probably audit the remainder of the application to see what else is lurking around </edit>
Logged
~~~~~~~~~~~~~~
Ketchup
Equix3n-
Sr. Member
****
Offline Offline

Posts: 386



View Profile
« Reply #2 on: July 25, 2009, 02:42:45 AM »
Bingo! Ketchup beat me to it.
Make sure they generate a SessionId for each user and it should be "random"

That's one of the best ways to do it.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.058 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.