Monday, November 26, 2007

Further Exploration


So in further exploring this site...I was able to read the raw javascript code used and understand the logic they deploy to deal with this login mechanism.Below is a sample of the login process and we can see that I was wrong in my initial assumption that the login ID must be 6 characters. It must be a MINIMUM of 6 not exactly 6 characters. Thanks to the developer, I don't even have to understand the code to learn this, it is stated in the comments...a big "no no" for production code, don't tell me anything about the app, YOU need to know what is going on, not me..!

function validateLogonId(inLogonId, inVLogonId) {
var nl = newLine();
if( inLogonId != inVLogonId) { alert(nl + "New Logon ID and Verify Logon ID do not match.");
return false; }
return verifyLogonIdContents(inLogonId);
}
function verifyLogonIdContents(inLogonId) {
var nl = newLine(); var nLogonIdLen = inLogonId.length;

// must contain at least 6 or more characters

if( nLogonIdLen < i="0;" ch =" inLogonId.substring(i,i+1);">= 'a' && ch <= 'z' ) ( ch >= 'A' && ch <= 'Z' ) ( ch >= '0' && ch <= '9' ) ( ch == '@' ) ( ch == '.' ) ( ch == '-' ) ( ch == '_' )) { ;

// valid character, do nothing

} else { alert(nl + "Logon ID may only contain letters, numbers,
" + nl + "periods, dashes(-), underscores(_)," + nl + "and the @ symbol.");
return false; }
}

// appears to be properly formatted

return true;
}

Here is a sample of the field filler I mentioned and the blank field error condition:

if (curForm.LOGNID.value == "") { alert(nl + "The Logon ID field is a required entry."); curForm.LOGNID.focus();
return false; }
if (curForm.LOGNID.value.length<6){ var logonid = "000000" + curForm.LOGNID.value var newlogonid = logonid.substring(logonid.length-6, logonid.length);
curForm.LOGNID.value=newlogonid; }
inProgress = 1;
return true;
}

Again if I were to break the submit process using a proxy, would I be able to alter this logic and say (in english) "if you enter a blank(no characters) as a username", the condition is true and allow a null login? Yes, that would work however due tothefact that there is not a null entry, by nature of it's denial, I would assume that if there is a second for of authentication here, I would also need to break on that and force a true statement no matter what the input. This process depends on the presence of data sanitization, if there is none, we can perform this level of attack successfully.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)