Archive for August, 2009

Lockerz.com, and the importance of data validation.

Many popular web applications are left susceptible to Cross site request forgery (CSRF) and request alteration due to the lack of request validation. This form of validation is vital to ensuring the origin of a request, to ensuring the authenticity of the data within the request.

About a week ago I stumbled upon a perfect example exemplifying the importance of request validation and data authenticity. I was invited to a website called Lockerz.com. Lockerz offers its users different ways to earn points on their account by answering questions on their website daily and by inviting other friends to sign-up. Users can then redeem those points for amazing products ranging from iPod Touches, Apple TVs, Mac Book Pros all the way to concert tickets, expensive pocket books, and jewelry.

After I registered, I was directed to a page welcoming me to Lockerz. My points counter showed up at the bottom right of the screen and was populated with 2 points for just signing up. I was then directed to a breakout type game that each user plays once, right after they sign-up. The objective was to catch as many falling money squares before time runs out. The more you catch, the more bonus points you get for signing up. The game began and I started moving my cursor around the screen trying to catch the falling sqaures. Time ran out and my point counter incremented by my total winnings. Below is a screen shot of the game.

Lockerz

Like usual, my curiosity got the best of me and I decided to take a deeper look at the operation of the game. I set up a local proxy and tunneled all HTTP traffic through it so that I could take a closer look at the requests being made throughout game-play. I noticed that only one post request was made at the end of the game by the embedded SWF, which was used to increment my point counter. But I noticed something peculiar about the POST variables; there was no form of authentication being used to validate my score sent from the SWF to their server. Below is an example of the post request that the SWF sent to their server.

POST /asset/submit/1 HTTP/1.1
Host: www.lockerz.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: __utma=27552625.3926623737007597500.1250522678.1250623832.1250640033.3; __utmz=27550625.1224322678.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SESSd61c2d9c6510db589245293749ed3b01=7ea8d55f367ebfad59b14e936c5be67c; __utmb=27550625.7.10.1250640033; __utmc=27550625; has_js=1
Referer: http://www.lockerz.com/sites/default/themes/sky/assets/flash/gameShell.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 37

score=13&platform=WIN&dataFormat=text

By simply changing the value of the “score” variable to 9000 and altering the Content-Length to 39, my score counter incremented to 9,002 points.  I would then be able to redeem prizes with high point prices instantly.  I immediately notified Lockerz about the vulenrablity and that I encourage they use some form of encryption or token based validation to authenticate the legitimacy of the score sent off by the SWF to the server. I received an email shortly after telling me that the team has been notified. I checked back two days later and they did just what I suggested.  They added several more variables to the POST request validating the score before it is entered into their database.  The new POST variables are listed below.

score=13&scoreCheck=QWHKjfVGPFzyKyZC1VWoUYUMSTsdX0zf&platform=WIN&minorRevision=0
&gameToken=d06bc06ce3980e41b68a7d22feff5483&buildNumber=22
&dataFormat=text&majorRevision=10

As you can see, a few new variables have been added, the most important being scoreCheck and gameToken. After much discussion with a good friend and colleague of mine, Praveen, we both settled on the idea that it seemed highly likely that they are using some form of salted hash for the scoreCheck value to verify the score received by the server to the request made by the SWF since the score is still being sent through the request which would be useless if encryption was being used. I am also assuming that they added in the gameToken value to authenticate the origin of request and to make sure that the SWF that is making the request is actually embedded on their website.

The idea of using request validation tokens to avoid CSRF and data alteration is nothing new. But it cannot be stressed enough, especially in the case of point based sites like Lockerz, where an attacker can exploit the system to steal expensive prizes with little to no effort. In Lockerz’s case, using a hash made a lot of sense, since you can’t really store the SWF score in a session prior to sending it off to the server for validation. But in PHP, setting a simple session token on the server and sending it through a request that you would like to protect can be simply accomplished by using the $_SESSION associative array. You can check out this article for more information and easy to understand examples demonstrating the proper use of the $_SESSION associative array in relation to avoiding CSRF attacks and validating request data in PHP.

Comcast DNS Hijacking and Web Security

Last night, a friend of mine directed me to an interesting article on Slashdot. The article publicizes Comcast’s new implementation of DNS hijacking on non-existent domains to all of their customers. Having just installed Comcast Cable a week prior to this I tried it out for myself. After going to a non-existent domain, I was immediately redirected to an ugly, ad infested page telling me that Comcast was not able to find the domain specified, and to try and respell my web address or use their search to help me find what I’m looking for.

Not only does this break internet standards, but it becomes a huge issue for IT professionals who manage the network and applications used by thousands of employees in a large company. As discussed in the comments of the article, many large companies use a split tunnel VPN to allow employees to have access to the internal mail server hosted on the company’s intranet. DNS resolution normally works by attempting to resolve a domain name primarily via the external DNS server, and if an IP is resolved, that IP will be used. If the DNS server returns NXDOMAIN, than the internal DNS server within the VPN is queried for an IP. If the internal DNS server returns an IP, than that will be used, otherwise it will return NXDOMAIN. This poses an issue to an employee using a split tunnel VPN to access the internal mail server of his/her company, because when that employees mail client attempts to resolve a domain name existent only via the VPN’s DNS server, the mail client will first query the external DNS server via their ISP. This would normally return NXDOMAIN and point the mail client to query the internal DNS server via the VPN which will return the correct IP to the mail server, but instead, anyone using a Comcast connection with their mail client would resolve an IP to Comcast’s hijacked page when the external DNS is queried for an IP, timing out the mail client.

Although Comcast does offer a way to opt-out of the service by using your modems MAC address and your customer email; it is still an obnoxious process. Although some people enjoy the help of Comcast pointing them in the right direction, many do not. Although DNS hijacking may not be new for users of the open source DNS alternative, OpenDNS, it sure is new to Comcast users.

After looking around a bit, I decided to take a more in depth look at the page that everyone is being redirected too and noticed a few serious security threats. I have contacted Comcast and made them aware of these threats.

The first thing I noticed was that the search page was vulnerable to an XSS exploit via the GET variable “url”.

http://search2.comcast.com/?cat=dnsr&con=ds&url=%3Cscript%3Ealert%28%22XSSed%22%29;%3C/script%3E

I also came across another XSS vulnerability on their SSL certified login page via the GET variable “pf_sp”.

https://login.comcast.net/login?pf_sp=%3E%22%3E%3Cscript%20%0A%0D%3Ealert%28%22XSSed%22%29%3B%3C/script%3E

I consider these XSS vulnerabilities to be quite serious considering the fact that the host is that of a trusted ISP and one of the servers is SSL certified. All it takes is a spoofed email address and some creativity to take full advantage of this vulnerability and threaten the privacy of unknowing Comcast customers.

After stumbling across this vulnerability I decided to dig a little deeper and ended up finding out a few more threats. Their Apache version is outdated, leaving their server vulnerable to moderate security threats patched in newer versions as well as the infamous Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability allowing memory corruption on the server. I also noticed that they kept their Apache server-status enabled. Intentional or unintentional, keeping this enabled gives malicious users more information than they should have access to about your server as well as access to a real time feed of every request made to the server by what looks to be Comcast customers everywhere.

Server Information:

Server Version: Apache/2.2.3 (Red Hat)
Server Built: Jan 11 2008 08:19:18
Current Time: Friday, 07-Aug-2009 00:00:18 GMT
Restart Time: Monday, 27-Jul-2009 14:57:00 GMT
Parent Server Generation: 0
Server uptime: 10 days 9 hours 3 minutes 18 seconds
Total accesses: 7652257 - Total Traffic: 18.0 GB
CPU Usage: u48.81 s5.23 cu0 cs0 - .00603% CPU load
8.53 requests/sec - 21.1 kB/second - 2527 B/request
7 requests currently being processed, 7 idle workers

Real-time server request view

Untitled-5

Enabling the Server-Status page in Apache is great for debugging and testing, but not so great for ISP’s server handling every customers search queries and misspelled domain names.

And the last thing I stumbled across was a backup of a PHP file stored on their server resulting in source code disclosure. For legal reasons I will not post the URL to the backup file, or the Server-Status page until Comcast has fixed these issues.

I am still very happy with my Comcast cable, but a little disappointed by their lack of security, server side or not, they are an ISP and should take more precautionary matters to protect their customers form such threats.

*UPDATE: Thanks to a prompt response from Giedrius Trumpickas, a principle engineer at Comcast, I have been notified that the XSS vulnerability located at https://login.comcast.net has been fixed.

Return top