I will proudly announce that recently I hacked a website and obtained some information that is very valuable to me yet I am NOT supposed to obtain. I won’t say what, where, who, but I will tell you how. Oh, and I also want to add that, out of my full honesty, it was NOT ethically wrong, and it does not harm other people. It was something that will save me time, money, and effort.
This might seem like an easy piece of cake for advanced web geeks like myself, but to many, it should serve as a good lesson for implementing security for any rookie developers or business owners. So here it goes…
There is page A, which has a dropdown form to retrieve certain records. Some records are obtainable with my login, some are not. So the dropdown is generated by a server-side script that only gives values for the records that I am allowed to get. It uses a form, with POST method submission, and points to another file on the server that processes the entries and pops them out for you on the screen… Let’s assume I have access to records A, B and C. It looks like this :
<option value=”a”>Option A</option>
<option value=”b”>Option B</option>
<option value=”c”>Option C</option>
Now, Firefox, has a very useful extension that allows you to change SELECT fields into regular text entry fields so that you can put in whatever value you need to force through. It’s called the Web Developer Plug-in. Now, the records I need to retrieve are X, Y and Z. Using the menu option Forms – Convert Select Elements into Text Inputs, I forced the dropdown options to be a text field instead of a dropdown. I simply entered X in the field, and then clicked “Submit”, and it gave me the records for option X. Same with Y, and Z.
In a nutshell, here is a diagram of this page system.
So, it’s like stopping someone from entering a secure room by NOT giving him the keys in the reception area. But the intruder has a method to obtain his own key (in this case, by overriding the form to enter any value he wants) and can enter the secure zone.
What needs to be done is this – regardless of whether the visitor has the key or not, there should be a guard in the secure room checking whether the key matches the identity of the visitor – whether the visitor is entitled to the key or not. If not, the intruder must be stopped. Here is a diagram for that scenario.
In this case, the security is actually put on the zone that should be secured itself, providing a fail-proof cloaking of data that is not supposed to be givin out to the unauthorized user. The lesson here is this : always secure the actual result-bearing page, not just the page that has the form/link towards it. And if you’re too lazy to secure both ends, secure the result-bearing page, not the Form/Link page.
