Detection and utilization of security bugs in virtual communities

Bkjia.com exclusive Article] There are many forums and communities on the Internet. Most forums use forums that can download and use code for free. Many people study this code, therefore, there are many security articles in this regard. I will not introduce them here. This article focuses on the discovery and utilization of security bugs in some virtual communities, because they are communities developed by some large websites, in order to avoid adverse effects, we will not capture the image here and describe it in detail. It is only represented by A and B. Please do not check the number because I have done some processing.

The following describes how to use Achilles. Achilles is a local proxy server. When opened, it occupies port 5000 as the proxy server. In IE, set the Proxy Server ip address to 127.0.0.1, port to 5000, and then select Iintercept mode ON, Intercept Client Data and Ignore In Achilles. jpg/gif. Click the Strat Proxy icon in the upper left corner to track the Http session status. (figure 1)

Figure 1

The communities of large websites are basically self-developed, so we cannot see the code (even if there is, it is useless to anyone who doesn't understand asp, jsp, php, asp.net or other development languages ), we can only rely on a large number of tests to find security bugs in the virtual community. My practice is to register a user first, and then check what functions the Community has and which ones may be used by Destructors.

The A community is written by asp code and has A single function. It focuses mainly on forums. Let's take a look at its security. First, register A user. The user name can only consist of digits, letters, and underscores. Because the Administrator's user name in this community is admin, We will register an <A> admin </A>, if the registration is successful, after entering the Community, you will find that your id is admin, because <A> </A> is not displayed, and, it is possible that your permissions will become Administrator. I have successfully tested the small community I wrote for the webmaster in the other two codes, but not in the big community I tested), but the registration will certainly not succeed, the page code will identify and prompt that the registered user name contains invalid characters. here we can use Achilles to help us achieve our goal. Go to Achilles and check the captured data packets, find the username you registered: admin, change it to <A> admin </A> (admin <A> </A>), and click send in Achilles, after a while, the website will prompt "successful registration ". You can send A post and try it. Your user name is displayed as admin, although your actual user name is <A> admin </A>, if someone changes their profile picture and nickname to the same as admin, post as admin, disrupt Community order, and cheat netizens, I think it will definitely have a negative impact on the popularity of the community. Since we can submit a username with the html language, can we use a Bug to do something? Can I use the asp Trojan code as the Registration Name? I don't think so. The first reason is that there are too many bytes of the asp Trojan horse. I have never seen a single Trojan before. I don't know under what circumstances to use it ), i'm afraid it exceeds the length set by the username field. Cause 2: When submitting data, all parts of the content are connected with the "&" symbol. I checked the asp Trojan code, it seems that they all carry the "&" symbol, so no. However, you can send a paragraph of Image Code, and the Community will show that my user name is an image. Smart readers should think about how to use this Bug.

Community B is developed for jsp. There are many subsystems, including forums, diary systems, auction centers, and dating systems. There are many functions. However, the more powerful the functions, the higher the risk of vulnerabilities. Id spoofing exists in this community before. I found it and told the community administrator. After a few days, I fixed the vulnerability and tested it with iecv according to the previous method, I found that there is no problem. I will check for any bugs this time. Register a common user, post a post, run Achilles, click "edit", analyze the intercepted data, and find that the identity authentication does not only have a user ID (in this community, each user not only has a username, but also an idnumber, which is unique) and a JSESSIONID. Let's change the idnumber in all the intercepted packets to the Administrator's idnumber, then, submit the modified data and find that the person who edited the post is not my current user, but the Administrator. The JSESSIONID is essentially an empty one. Since you can edit your post as someone else, I think this Bug can be used in other subsystems. The test shows that this is indeed the case.

Summary:This article is intended to be written to a wide range of web application developers. If you can realize the consequences of poor coding, in addition, it can correct the incorrect ideas that people previously thought that they could not see the Community code and that everything would be fine, so my goal would be achieved. As for how to solve the problems mentioned above, I think everyone can find a solution. I have told the administrators of these communities about the bugs. In the last sentence, this method is only for research. Do not use it for damage. The user is responsible for any losses caused by this method. I am not responsible for this. Test environment: win2000 Advanced Server Edition (sp4)

Bkjia.com exclusive Article. For more information, see the source and author !]