Mobile app dig fiscal website, the cookie encryption algorithm is weak can be forged-vulnerability warning-the black bar safety net

2013-03-12T00:00:00
ID MYHACK58:62201337720
Type myhack58
Reporter 佚名
Modified 2013-03-12T00:00:00

Description

Brief description:

The installation of a dug Choi, because want to sync the data, so the first test of a fan, but the cookie was found on this issue. By some means can forge other people's cookies to log in, you can access financial information, login to Forum, etc., if the forgery of the administrator, engage in off-the server should also not busy is difficult. only YY, not in-depth to. Specific details see the following details.

Detailed description:

Dig the fortune cookie encryption strength is not enough, and only the authentication of the user name, The specific encryption algorithm want to a half day did not come up to mathematics all forget about it - - but be able to feel out is not complicated. cookie in the user field should be saved is the user registration email. Capture come up the cookie a look that is base64 encoded, after decoding is garbled, but using the hexadecimal representation can be seen in the number and registered mail number of bits is the same. Through the analysis found that, although each character in a different location on the encrypted value is not the same, but at the same position is unchanged, so we expect the following methods to forge a valid cookie.

Vulnerability proof:

Specific test procedure:

Yourself first register an account t0x6@x.com fill some consumption records, as the attack target

!

Because we already know in the same position on the character after encryption the value is the same, so we need to register two accounts to splice this target user. Between the two users need to have a character of difference, so I registered the following two accounts: x0x6@x.com tu0s@x.com We only need the second user cookie is base64 decoded first character replace the first user base64 decoding after the first character, then base64 encryption, on completion of the forgery of the target user cookies in the process

The recording of the second user in the cookie base64 to decrypt the first character after the

!

Can see is 1 1 then the first user's cookie to be modified

!

The 1d modified to 1 1 and then again for base64 encryption, to generate the target cookie

!

Then you can use cookies to login to the site: D

Modify the cookie

!

To refresh the display has logged in.

!

[1] [2] next