Mobile app dig fiscal website, the cookie encryption algorithm is weak can be forged-vulnerability warning-the black bar safety net

ID MYHACK58:62201337720
Type myhack58
Reporter 佚名
Modified 2013-03-12T00:00:00


Brief description:

The installation of a dug Choi, because want to sync the data, so the first test of a fan, but the cookie was found on this issue. By some means can forge other people's cookies to log in, you can access financial information, login to Forum, etc., if the forgery of the administrator, engage in off-the server should also not busy is difficult. only YY, not in-depth to. Specific details see the following details.

Detailed description:

Dig the fortune cookie encryption strength is not enough, and only the authentication of the user name, The specific encryption algorithm want to a half day did not come up to mathematics all forget about it - - but be able to feel out is not complicated. cookie in the user field should be saved is the user registration email. Capture come up the cookie a look that is base64 encoded, after decoding is garbled, but using the hexadecimal representation can be seen in the number and registered mail number of bits is the same. Through the analysis found that, although each character in a different location on the encrypted value is not the same, but at the same position is unchanged, so we expect the following methods to forge a valid cookie.

Vulnerability proof:

Specific test procedure:

Yourself first register an account fill some consumption records, as the attack target


Because we already know in the same position on the character after encryption the value is the same, so we need to register two accounts to splice this target user. Between the two users need to have a character of difference, so I registered the following two accounts: We only need the second user cookie is base64 decoded first character replace the first user base64 decoding after the first character, then base64 encryption, on completion of the forgery of the target user cookies in the process

The recording of the second user in the cookie base64 to decrypt the first character after the


Can see is 1 1 then the first user's cookie to be modified


The 1d modified to 1 1 and then again for base64 encryption, to generate the target cookie


Then you can use cookies to login to the site: D

Modify the cookie


To refresh the display has logged in.


[1] [2] next