Security research, news and guidance

Can you find the vulnerabilities?

October 22, 2009  |  Written by Security Ninja  |   Application Security, Hacking   |   6 Comments

Hi everyone,

I often talk about how to write secure code and how to prevent common vulnerabilities so I have decided to cover something slightly different in this blog post.

The ability to identify vulnerabilities in code is an important skill for security professionals and developers to learn because if you don’t find the flaws someone else will do. This blog post includes five examples of insecure code which you should try to analyse and see if you can find the vulnerabilities, I will post a follow up to this post next week with a detailed breakdown of the vulnerabilities and how the Principles of Secure Development would have prevented them.

The examples used in this post are a mix of fictional and real world code from open source projects. In some of the examples I have taken out some sections of the code and only included the vulnerable pieces of code.

The following resources will help you during your analysis:

The Principles of Secure Development

OWASP Code Review Guide

The five examples can be seen below, I hope you have fun solving them.

Example One

#!/usr/bin/perl
use CGI;
my $cgi = CGI->new();
my $value = $cgi->param(‘value’);
print $cgi->header();
print “You entered $value”;

Example Two

<SCRIPT>
var pos=document.URL.indexOf(“name=”)+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>

Example Three

Web Page:

<div class=”body_padded”>
<h1>Message Board: Add Message</h1>

<div class=”Add_New_Message”>

<form method=”post” name=”messageform” onsubmit=”return validate_form(this)”>
<table width=”550″ border=”0″ cellpadding=”2″ cellspacing=”1″>
<tr>
<td width=”100″>Name *</td> <td>
<input name=”Name” type=”text” size=”30″ maxlength=”10″></td>
</tr>
<tr>
<td width=”100″>Message *</td> <td>
<textarea name=”Message” cols=”50″ rows=”3″ maxlength=”50″></textarea></td>
</tr>
<tr>
<td width=”100″>&nbsp;</td>
<td>
<input name=”addbtn” type=”submit” value=”Add Message” onClick=”return checkForm();”></td>
</tr>
</table>
</form>

{$html}

</div>

Backend:

<?php

if(isset($_POST[‘addbtn’]))
{

$message = trim($_POST[‘Message’]);
$name    = trim($_POST[‘Name’]);

$message = stripslashes($message);
$message = mysql_real_escape_string($message);

$name = mysql_real_escape_string($name);

$query = “INSERT INTO messages (comment,name) VALUES (‘$message’,’$name’);”;

$result = mysql_query($query) or die(‘<pre>’ . mysql_error() . ‘</pre>’ );

}

?>

Example Four

<?
$PAGE = array (
“root” => “./”,
“title” => “Search”,
);

chdir($PAGE[“root”]);
include “./inc/global.inc.php”;

$smileys = FS_GetFiles(“./img/smiley/”);
if ($QUERY == “”) {
$signs = DB_Execute(“SELECT * FROM `blah_signs` ORDER BY `code` DESC”);
} else {
$signs = DB_Execute(“SELECT * FROM `blah_signs` WHERE (`sign` LIKE ‘%” . $QUERY . “%’) ORDER BY `code` DESC”);
}
$BROWSE = NUM_GetBrowseNumbers(mysql_num_rows($signs), $CONFIG[“sign_per_page”], $pg);
?>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>

<html>

<head>
<? echo PG_Headers(); ?>

Example Five

Web Page:

<html>

<head>
<? echo PG_Headers(); ?>
<script language=”JavaScript” type=”text/javascript”>
<!–
function CheckForm(formID) {
if (formID.USERNAME.value == “”) {
alert(“Please enter your username before submit”);
formID.USERNAME.focus();
return false;
}

if (formID.PASSWORD.value == “”) {
alert(“Please enter your password before submit”);
formID.PASSWORD.focus();
return false;
}

return true;
}
//–>
</script>
</head>

Backend:

<?
$PAGE = array (
“root” => “../”,
“title” => “Administration – Login”,
);

chdir($PAGE[“root”]);
include “./inc/global.inc.php”;

$ACCEPTED = false;
$URL = “./index.php”;
$admin = DB_Execute(“SELECT * FROM `blah_admins` WHERE ((`username` = ‘” . $USERNAME . “‘) AND (`password` = ‘” .

STR_EnCode($PASSWORD) . “‘))”);
if (mysql_num_rows($admin) == 1) {
$ACCEPTED = true;
$secCode = STR_RandomString(25);
DB_Execute(“UPDATE `blah_admins` SET `seccode` = ‘” . $secCode . “‘ WHERE ((`username` = ‘” . $USERNAME . “‘)

AND (`password` = ‘” . STR_EnCode($PASSWORD) . “‘))”);

$URL = “./index.php?a=” . mysql_result($admin, 0, “username”) . “&s=” . $secCode;
}
?>

Have fun bug hunting! I’m sorry for everything being left aligned, I’m trying to fix that!

SN

This entry was posted on October 22, 2009 at 2:03 pm and is filed under Application Security, Hacking . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 comments   >

  1. Kent Brewster says:

    Example Three–in addition to having funky backslashes before each double-quote–has no validate_form or check_form code, so whatever you post will go straight up onto the site after showing a JavaScript error. If you happen to post something that breaks the back end, printing mysql_error() to the page will reveal a lot about your database structure.

  2. Brett Hardin says:

    This is very similar post to spotthevuln.com. Have you seen it?

  3. Pingback: uberVU - social comments

  4. Security Ninja says:

    Hi

    Thanks for the comments so far.

    Kent – I should have copied up the validation code that you mentioned, assuming that is all present and correct you have picked up one issue – another one still remains un-found :)

    Brett – I think I saw someone mention the spotthevuln site when the first code snippet was posted, it certainly looked familiar when I visited the site after your comment.

    If you want a clue I will give you one:

    The open source project that some of the code came from had exploit code posted for 3 of its vulnerabilities on Milw0rm this week (posted on the 21st October).

    SN

  5. Pingback: Jak można przegapić DOM based XSS

  6. tjDubs says:

    Is the html example showing both the username and password as focus? Can’t be that simple. Thanks for exposing me to such cool code.

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers