Man vs. web app

For me, it’s hard to downplay my joy from successfully assailing a web application and finding valuable faults: more so when nothing of value is reported from scanning using the most expensive app scanners.

On a recent gig I was focusing on finding issues with a couple of forms. Wielding BURP, I was intercepting all the GETs and POSTs and noticed the server responding with JSON data (i.e. http://[…]/data.json)

I tossed the JSON blob into an online JSON validator (http://www.jsonlint.com/) to make it easier to read (below is a small snippet).

"sanitized": 
  { aaaDetail": 
    { "aa_id": "276060", 
      "bb_id": "103065", 
      "cc_id": "515ad8933c821b2f72a8cbb7054zed3c", 
      "x_time": "2009-08-12 21:42:40",
      "y_time": "2009-08-12 21:47:34",
      "full_name": "T H", 
      "comment": null, 
      "country": "United States", 
      "state": "Colorado",
       "city": "Broomfield"
       [...]
     }
  }

I soon realized the JSON objects contained great information for crafting precision attacks.

The JSON data reads like they are database column values. I wondered for a moment what would happen if I just use the strings in the JSON objects for POST keys, came up with logical values matching the keys, then started POSTing the modified form data.

Bingo. By simply intercepting POST requests and appending new key/value pairs to the list of key/value pairs already being submitted I was able to modify database values unattended by the developers. In this case, it meant I was able to modify information inserted and owned by other users of the site.

I’m not espousing Harry Potter skills here, rather illustrating one of many examples of why Man is needed to go beyond where automated web app scanners stop.

Posted by tate Sat, 22 Aug 2009 22:59:00 GMT

Read full article 3 comments


keep passphrases ‘in the mind’

I’ve always heard from friends that a court could compel a person to divulge a passphrase to get to their encrypted information.

I learned that is not exactly true while attending Tyler Pitchford’s presentation at Defcon 17.

Encryption keys are products of the mind and are protected by the Fifth Amendment.

The case from which these assertions are derived is United States v. Boucher. Sebastien may have to give up his passphrase in the end because he made a terrible decision in the beginning by consenting to talk.

Never talk. Never. If you haven’t already, watch this video presentation by Professor James Duane titled Don’t Talk to the Police to learn all about why.
Why I am proud to admit that I will never talk to any police officer. In Praise of the Fifth Amendment Right to Not Be a Witness Against Yourself.

Posted by tate Mon, 03 Aug 2009 12:13:00 GMT

Read full article no comments