CyberiaPC.com Most Recent Posts

Preventing semantic URL attacks in Web applications

Thu, 2 Jul 2009 07:41:39 -0500

The problem

A semantic URL attack is a type of security exploit that takes advantage of the fact that a web browser cannot infer any semantics from an HTTP request. Take the following URL for example:

http://www.mywebapplication.com/viewPaymen...?receiptId=7892

Let us assume that when the URL is processed, the specified receiptId is used to query some receipts table and then display its details to the user (1). Now, what would stop someone from simply changing the value of receiptId and retrieving the details of someone else’s receipt? Surely that shouldn’t happen. But, it can and it does. The browser does not care at all about the request’s semantics, so it ends up blindly trusting it and therein lies the vulnerability.

The example above would allow an attacker to retrieve and display arbitrary details, but realize that the issue can be much more serious than that when an application depends on parameters passed in through an HTTP request to do, say, branching or updates to or deletes from tables, which is why there is a whole other discussion about the importance of always assuming that user input is unsafe to begin with and the need to sanitize/validate/filter it before anything is done with it.

A solution

Our solution should be two-fold:

1. Ensure that requests that are only sent from our application’s forms are checked and confirmed to have come from our forms
2. Ensure that requests that are sent via hyperlink-clicks, which contain parameters, are checked and deemed permissible for the logged-in user to access

Tokens, tokens, tokens

Our problem is that our browser has no way of knowing if a request is being 1) formed and sent by our application’s forms, or 2) arbitrarily by the user. Our solution should therefore involve providing extra information to allow the application to differentiate between the two types of requests. One solution is to use tokens, which is simply a metaphor that involves generating random and unique numbers to pair users to requests. Here is how it works:

In every page where we have a form, we generate a unique and random number (a token) and then
* Set it to the session, and
* Add it as a hidden input field to the page containing the form

Then, in the server-side class that takes care of processing the form (Action class, form handler, etc), simply check to make sure that the value of the token that is set to the session is equal to the value of the token that was sent in the HTTP request (the hidden field). If so, then we can consider the token to be valid; if not, we can take an alternative course of action such as logging the user out. Finally, we reset the token.

Since the token is regenerated every time the page that includes the form loads and is reset both in the session and in the HTML page’s source, we can always be sure that the user will not be able to proceed if he or she directly accesses a URL, modified or not, without arriving at it through a form since no token will be set in the HTTP request and the token in the session may possibly have expired.

For your eyes only

Our second issue exists if we, say, have a table of receipts for a particular user with each receipt number linked to a URL similar to the one shown above. On submission, we need to make sure that our request handler verifies that the receipt number passed to it is in fact a receipt number that belongs to the logged-in user as identified by his credentials in the session. Therefore, what we need to do is to add logic to query the database every single time an HTTP request is received and prior to its parameters being used for anything to ensure that the logged-in user has the necessary privileges to access the parameters.

Encrypting URLs or individual parameters may also be an option, albeit it remains a limited one. Using algorithms that allow for two-way encryption/decryption may leave the application vulnerable in the case that the encryption/decryption algorithm and possibly the salt is figured out by an attacker. And encryption-only algorithms are only useful if the application knows what set of values a particular parameter is a subset of, meaning that if we’re going to encrypt a parameter using something like, say, MD5, we need to have a fairly small set of values to encrypt on the server-side to compare hashes and know when we have a match.

Code

Instead of rewriting code that others have already written, I’ll point you to two places where you can find sample code listings of how to implement tokens in Struts and PHP. For the former, check out Romain Guay’s article here and for the latter, check out the section titled Safeguarding Against CSRF in Chris Shiflett’s article here. I would strongly recommend reading Chris’ blog posts and book (referenced below) for succinct and clear descriptions of security issues to look out for in Web applications along with the best practices for mitigating them.

For completeness, note that to check the validity of a token in PHP in your form handler, a simple guard such as the following would suffice:

CODE

if(isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) {
//token is valid
}

Footnotes and references

(1) The URL need not be available as such in the application; it may in fact be the case that “receiptId” is sent via a POST request from a form to viewReceipts.do, but by simply viewing the source code, an attacker could construct such a URL and either execute it directly or conceal it in an image by setting it to the image’s src attribute. In Java or PHP, HttpServletRequest and $_REQUEST, respectively, return parameters regardless of whether they were submitted via POST or GET. Also note that although using POST instead of GET, the latter of which rewrites the URL, to transfer parameters may give the impression of added security since parameters are not visible in the URL, one should keep in mind that it is only slightly more inconvenient to view or modify POST variables by using applications such as Fiddler. Nevertheless, it is always best to use POST for forms that perform actions other than simple retrievals of data as per RFC 2616 [Shiflett].

[Shiflett] Chris Shiflett, Essential PHP Security, O’Reilly, 2006

A. A. June 2009

Goal.com logo competition

Thu, 2 Jul 2009 06:58:27 -0500

Goal.com had a logo competition a while ago and my brother and I submitted an entry, which made it through to the final selection. So, guys, if you get a chance, head over there and vote for us: http://www.goal.com/en/contests/logo

The entry number is It's called Logo 012 (submitted by skyrill). Thanks.

PS3 Stuff

Tue, 30 Jun 2009 21:27:03 -0500

So,

I has this PS3 thing right? Been kinda engulfed in Ghostbusters, Prototype & Infamous lately. But found somethin neat. I downloaded Final Fantasy 7 lol

Whats really cool is that it makes a virtual playstation memory card; so you can get on your computer; download saved states or restore yours from your old memory card ( i did this, **** gettin that golden chocobo again just to not havta walk to my living room to use the playstation one lol) and go.

Thought it was kinda neat.

But whats really killer is that playstation is working on a software update for the PS3.

It's an emulation software that would make ANY model of the PS3 backwards compatible.

The only bummer of that awesomeness is: its speculation. they could just be making the update to be able to port all their games a lot easier into the sony store. So you'd still havta rebuy games to play em on the ps3 which is kinda crappy.

So thats why I have always stuck with nintendo lol

Question Regarding our Guess This Game..

Tue, 30 Jun 2009 01:20:13 -0500

So, would we like to continue this?

I was looking at it. DAMN. I fail.

So, here's my initial idea (as in reboot the damn site!):

We start it over again. Kick it into gear. I don't have the DB i created by all means anymore, but I can wing it.

We can start anew. New rules, perhaps unremitting the 8bit crowd. I may not be the most fanatic gamer into the new area's but I can still recognize games pretty easily and still can find shots and info's at will (I have A LOT of free time and a shitty pc lol).

Set the scores to 0, set the limit to somethin cool. Do a mass email to all those old members.. put a big flashy thing on the news..

COME ON!!

just a thought..

Billy Mays RIP

Tue, 30 Jun 2009 01:03:17 -0500

*wearing a blue shirt all week*

Man kills soldier in Vietnam, returns photo to his daughter [Video]

Sun, 28 Jun 2009 22:22:13 -0500

http://www.youtube.com/watch?v=CWMM7fclV9k

Pretty moving video of a man who killed a Vietnamese soldier during the Vietnam War, took a photo of him and his daughter from him and then went back to give the photo to the daughter of the man he killed many decades later.

Asus Eee, and Netbooks in general

Sun, 28 Jun 2009 22:14:12 -0500

I might be going on vacation soon and was thinking of buying an Asus Eee PC and taking it with me this time round instead of my laptop. I figured it would be better that way considering that the Eee has 10 hours of battery life, is super-light, is cheap, can be used to backup images from my CF cards and won't have any personal data on it in case I end up losing it. It seems like a good idea. So, anyone used an Eee or any of the other similar netbooks out there?

CyberiaPC.com user on crack

Thu, 18 Jun 2009 04:41:37 -0500

QUOTE

Apr 20
Name: mspence
Email: mspence@suddenlink.net
Subject: LUNAR COMMAND
Message: YOU'RE GOING TO LET ME PLAY THIS ****ING GAME LIKE YOU'RE SUPPOSED TO WHETHER YOU LIKE IT OR NOT.
recaptcha_response_field: gaudily Pa

Apr 29
Name: mspence
Email: ***
Subject: LUNAR COMMAND
Message: IM TALKING TO YOU

WAKE THE F**K UP OVER THERE
recaptcha_response_field: commission attune

Apr 30
Name: mspence
Email: ***
Subject: LUNAR COMMAND GODAMMIT
Message: HOW MANY TIMES DO I HAVE TO TELL YOU PEOPLE TO WAKE THE F**K UP OVER THERE?
recaptcha_response_field: squander temp-

Apr 30
Name: mspence
Email: ***
Subject: LUNAR COMMAND GODAMMIT

Message: KISS MY ASS

WAKE THE F**K UP OVER THERE JACKASSES
recaptcha_response_field: do dallies

May 1
Name: mspence
Email: ***
Subject: LUNAR COMMAND FIX THE ****ING GAME
Message: YOU'RE GOING TO LET ME PLAY THIS F**KING GAME LIKE YOU'RE SUPPOSED TO WHETHER YOU LIKE IT OR NOT

F**K YOU DO WHAT YOU'RE TOLD
recaptcha_response_field: Powers polaris

May 6
Name: mspence
Email: ***
Subject: LUNAR COMMAND MOTHERF**KERS
Message: I DONT CARE WHAT YOUR ****ING PROBLEM IS. WAKE THE F**K UP OVER THERE ASSHOLES.
recaptcha_response_field: raunchy con

June 4
Name: mspence
Email: ***
Subject: Lunar Command
Message: F**K YOU WAKE UP
recaptcha_response_field: Ascension neutered

June 15 (3 days ago)
Name: mspence
Email: ***
Subject: LUNAR COMMAND
Message: WAKE THE F**K UP AND LET ME PLAY THIS F**KING GAME WHETHER YOU LIKE IT OR NOT
recaptcha_response_field: place dresden

3 hours ago
Name: mspence
Email: ***
Subject: LUNAR COMMAND
Message: F**K YOU

I DONT CARE WHAT TIME IT IS
recaptcha_response_field: CALDOR unpaid

Announcing your plans makes you less likely to achieve them

Wed, 17 Jun 2009 06:07:30 -0500

http://sivers.org/zipit

Considering that I'm surrounded by cynics, I've always found it best to actually implement whatever ideas I think of and then later step back and see whether or not they were a good idea to begin with

Tagged: The most annoying website in the world

Sat, 13 Jun 2009 13:31:46 -0500

God, I hate that website...

http://www.time.com/time/business/article/...1903810,00.html