Thanks to an e-commerce platform security engineer Feiyu with me to discuss this bug fix. In the past, in the process of security testing, there are often problems caused by the verification code, even in some banks or e-commerce login and check the page also exists this problem, once the collision of the security of the user account or the site load is a huge challenge. In fact, the cause of the problem is not complex, mainly in the development process of lack of awareness of security, resulting in negligence.
Today, the impulse to write a verification code to simulate the problem, first we start from the front page analysis:
<! DOCTYPE html>
You can see that the verification code is generated by captacha.php.
We extract the key parts of captacha.php to analyze:
$_session[' Authcode ']= $captch _code;
We put the generated Captch_code in a temporary session in the form of text.
After the front-end form is submitted, verify that the post verification code is consistent with the value in the session in form.php.
<?php if (isset ($_request[' Autocode ')) { session_start (); if (Strtolower ($_post[' Autocode ')) = = $_session[' Authcode ']) { echo ' right '; } else{ echo ' wrong '; } Exit (); }? >
Everything seems to be perfect, a verification code (machine Automation identification is not in the scope of this discussion, TT).
Input correctly returns right:
Input error range Wrong:
Okay, here's the loophole. We put in the burpsuite to play happily, in the process of submitting a verification code to grab packets, truncate, replay the packet:
Infinite Replay Verification Code it just doesn't expire.
How to repair, this problem worried me, think for a long time, finally have a point.
In fact, we wrote the test report long ago that we should let the session of the Verification code expire at the right time, the problem is how to achieve. Considered, can be handled by the following methods:
<?php if (isset ($_request[' Autocode ')) { session_start (); if ($_session[' authcode ' = = ' null ') { \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ N ElseIf (Strtolower ($_post[' autocode ']) = = $_session[' Authcode ']) { echo ' right '; } else{ echo ' wrong '; } $_session[' Authcode ']= ' NULL '; \ \ Initiate a form submission and leave the session value empty exit (); }? >
The effect is as follows:
If it is not correct, you are welcome to correct me. Thank you
Collision problem caused by improper design of verification code in web Security development