Sunday, May 20, 2007

CSRF Dorks

You've all seen Johnny Long's google hacking database

Its an excellent example of a full disclosure platform that helps raise awareness about vulnerabilities in the wild. I just launched the first version of the csrf hacking database here:

http://csrf.0x000000.com/csrfdb.php

I designed, developed and am maintaining it on my own right now so go easy on me ;)

thanks to Ronald van den Heetkamp for the hosting.

EDIT:

http://h4k.in/csrf now forwards to the csrf database as well

Thanks to
Mario Heiderich for the redirect as well as for his suggestions and help.

Wednesday, April 25, 2007

l33t haxxors

I dont usually post on nontechnical subjects, but I'm making an exception:


l33t haxxors - Episode 1
l33t haxxors - Episode 2
l33t haxxors - Episode 3

Excellent comic relief for a tough day. Enjoy :)

Tuesday, April 24, 2007

The Ellusive Negative Quantity Vulnerability

I guess I'm just going to pick up where I left off a few months back. Rather than backtracking over all the stuff thats happened between then and now, I'll just keep on posting as things come up.

So here's one that just sorta came to me as I was pen-testing a browser based php mmorpg with a friend. I expect this type of vulnerability exists in more problematic places: Banking systems, shopping cart systems, etc.

The vulnerability is a sort of logic error. Lets have a look at some psuedo code designed to allow customers to make purchases.


let $Customers_Money = 100
let $Object_Price = 10

let customer input value for $Quantity

let $Total_Price = $Object_Price * Quantity
if $Total_Price > $Customers_Money then tell customer its too much, and exit

else let $Customers_Money = $Customers_Money - $Total_Price


We give the customers $100 to start and we create an object worth 10$.
We ask the customer how many of the object they want to buy.
We calculate the total price for all the objects, and check whether or not the customer can afford it.
If they can we take the total price and subtract it from the customers money.

The subtraction operation is where the problem exists. What happens when we supply a negative quantity? Well lets run through it:

With a quantity of -10, the total price becomes -10 * 10 = -100
We check if the total price is more than I have in my wallet, ...its not, its less.
So we take that total price, and subtract it from the customers money: 1000 - -100 = 1100
WAIT, see that? using a negative quantity, we have actually GAINED money.

There's a simple solve. And its a solution thats repeated over and over again in web/all security. WHITELISTING. Only allow good input. Theres no need for a negative quantity, so don't allow them. I'm surprised I havn't seen more of this poor logic type vulnerability. Anyone else have similar stories?

<3