Part 2: URLs Unraveled
Case Study: Reconnaissance Leaks Corporate Assets
FOR yet another night, Jack was working late at the office. He was a Web developer extraordinaire (a.k.a. an elite Web hacker) who got bored easily and had a penchant for the market. One of those young geniuses who was always searching for a challenge, Jack was bored that night and decided to poke around the Internet.
In the past, Jack purchased a number of movies from an online Web site called Example.com (symbol EXMP.CO) with an online catalog of more than 10,000 movies, DVDs, VHSs, and music CDs. Earlier that day Jack had received a spam e-mail from Example.com proclaiming a brand new Web site that was easier to use than its previous one. The company also boasted about something else that instantly peaked his interest: It stated that the new Web site was "unbreakable." Idle hands are truly the devil's workshop, so Jack began his quest to disprove this bold statement.
He started by reviewing the company's home page (http://www.example.com). The design was flashy and brash, featuring heavy use of Macromedia Flash and some sort of server-side scripting technology that he wasn't familiar with. He decided to break down the URL to see if he could get a better idea of its underlying technology. The home page had the following URL:
http://www.example.com/load.cgi?file=main.dhtml
As he perused this URL, he noticed a couple of things:
The Web programmer had used some form of CGI, probably Perl, as indicated by the load.cgi file name:
http://www.example.com/load.cgi The programmer had used Dynamic HTML (DHTML), with the latest HTML 4.0 features, as indicated by the main.dhtml file name:
http://www.example.com/load.cgi?file=main.dhtml The programmer had used GET requests to pull up content, as indicated by the URL specifying the parameters being passed to the main CGI program (load.cgi).
http://www.example.com/load.cgi?file=main.dhtml If the programmer who had written the load.cgi program hadn't performed adequate input validation on the file field, someone might be able to view the source of any file on the Web server's filesystem. But Jack wouldn't know until he tried it:
http://www.example.com/load.cgi?file=load.cgi Sure enough, the URL produced the source code for the main CGI program, load.cgi. Now Jack could advantage of any file on the filesystem. But before he crawled the Web site for potential targets of attack, he went straight after the robots.txt file:
http://www.example.com/load.cgi?file=robots.txt This file contains directories and files that shouldn't be followed during a Web crawling exercise. Of course, Web crawlers can choose not to honor the robots.txt file for any given Web site, which can reduce the load on a Web server by having the requester avoid certain directories and files.
Jack spots a directory of particular interest, the /Forecast directory. He first tries to display a directory listing for it but gets an error:
http://www.example.com/Forecast/.
He then tries a few known file names, such as load.cgi and main.html, but to no avail. So he decides to crawl the Web site himself and see if any files are linked to this directory. Using Teleport Pro, he mirrors the entire Web site and reviews the output. He finds a series of files that hold some hope, all named Example.com-Forecast-QxYY.pdf, where x is the quarter number (1, 2, 3, and 4) and Y is the last two digits of the year (99, 00, 01, and 02):
http://www.example.com/Forecast/Example.com-Forecast-Q199.pdfhttp://www.example.com/Forecast/Example.com-Forecast-Q299.pdfhttp://www.example.com/Forecast/Example.com-Forecast-Q399.pdfhttp://www.example.com/Forecast/Example.com-Forecast-Q499.pdfhttp://www.example.com/Forecast/Example.com-Forecast-Q100.pdfhttp://www.example.com/Forecast/Example.com-Forecast-Q200.pdf... Knowing that the current date is March 28, 2002, and that the first quarter is about to end, he tries the following URL:
http://www.example.com/Forecast/Example.com-Forecast-Q102.pdf
Voila! Jack is prompted to Save the Example.com-Forecast-Q102.pdf file. He does so quickly.
Teleport Pro did not find this file, but Jack's hope was that the finance department may have already put a draft or near final version of the Q1-2002 report on the Web site for early review by investors. And it had. Human predictability is a wonderful thing.
Having received the file, Jack reviews it for any sensitive information and it has plenty. The P/E ratio is creeping higher and revenue did not meet expectations, not by a long shot. Jack quickly realizes that he can sell his stock before those results are reported and possibly save $1000. Jack logs on to his e-broker's Web site and places a sell order to protect his portfolio. He feels good about his accomplishment and decides to call it a night and head home. Who knows what mischief he will get into next....
EAN: 2147483647
Pages: 156
- ERP Systems Impact on Organizations
- ERP System Acquisition: A Process Model and Results From an Austrian Survey
- Context Management of ERP Processes in Virtual Communities
- Intrinsic and Contextual Data Quality: The Effect of Media and Personal Involvement
- A Hybrid Clustering Technique to Improve Patient Data Quality