Tuesday, March 20, 2007

One time URLs first implementation broken!


This is w.r.t. http://onetimeurls.databasement.net/index.php

As always, the developers think their code is bullet proof and actually it contains basic flaws. (No offence meant, I'm just being philosophical).

Here is the POC on how to break it.

Paste the following into the textarea on the above page,

<script>
url_randomizer.go("http://wasjournal.blogspot.com/2007/03/one-time-urls-first-implementation.html");
</script>

And it will break the protection.

As you would have correctly guessed, the code is allowing ANY url to be used.
Solution therefore would be to use hardcoded proto://host:port.


Earlier I was trying a different approach and be on the same page.
I was trying to load "file:///c:/dummy.txt"
and hoping to get exception like
"Security error : access denied to url file:///c:/dummy.txt?rand=xyz"

But seems like security warning is not seen by the javascript on the page.

Anyway,

Let me try some other approach and get back if I find something.

Posted by Kishor at 10:11 PM

2 comments:

kuza55 said...

Nice find Kishor, :)

The open source idea seems to hold true; many eyes find many more bugs.

Lets hope we find all the issues with the PoC.

10:41 PM
Martin J. said...

Hey Kishor,

thanks for your effort and disclosing the issue. Actually I was aware of the problem once, back when we were actively working on the paper in early 2006. I remember discussing the issue with Christian W., who did the practical implementation of the Deferred Loading and Subdomain Switching parts, but I obviously forgot to include a countermeasure in the prototype (a lame excuse, but true). As you already wrote, a defence against the attack is possible. I will update the prototype accordingly in a while (I saw your request to the fixing at sl.ackers.net).

Just for the record: I have never considered my code to be bullet-proof. In hindsight I think my coding of the PoC was rather sloppy. When I wrote it, I was mainly interested to see, if it is actually possible to hide information from malicious JavaScript and was therefore too preoccupied to consider attacks like the one you found or Kuzza55's watch()-attack. This is what you get, when you publish half-baked code :)

Best,
Martin

9:28 AM

Post a Comment

Subscribe to: Post Comments (Atom)