Security basic Education The 1th episode of the second quarter: the repeated defeat of the recovery password

Zheng created in 2015/5/19 last updated on 2015/8/7 keywords:Web security, system security, web development, password recovery, password resetThis document applies to people: a broad-based technical staff outline:

1. the fortress was breached from within.
• The fearless of employees ' ignorance
• Operational Configuration Exposure details
• no defenses in the background
2. often committed new, repeated war and defeated
• Retrieve password
• graphics and SMS Verification code
• Parallel Permissions
• MD5 equals Clear text
3. Be mindful of all knowledge
• form Tampering
• The app has been tampered with
• Cross-site request forgery

0x00. Foreword: The first season training main propaganda two points, first, white hat or hacker are very patient, he may pinch you multiple loopholes, he has been waiting for the opportunity, he also has a lot of tools in the search for opportunities, second, a successful invasion infiltration, does not need to be how high-risk loopholes, a few ordinary middle loopholes,     Add a social engineering action, and you can kill it in. The second quarter focuses on security errors that almost all WEB engineers are prone to commit. There are things you need to know and act as your ingrained development habits and ideas that will reproduce the tragedy of the brakes on this rug.0x01. Recover Password: Web site security is the hardest hit is to retrieve the password function. Many WEB development engineers who have worked for many years still do not realize these basic security principles:

1. The HTTP Request submitted by the client is untrusted, the form data may be tampered with, and the verification information may be counterfeit;
2. Client shows everything, server-side sent to the client everything , all information, get/post parameters, html/js/cookies, can be white hat see , there is no secret to say;
• By JavaScript in the client check, the first white hat can be in the browser tracking debugging JS, understand your algorithm, the second set breakpoints to modify the stack parameters, so the server-side check is the hard truth.
3. White hat is also a programmer, the first he can be a variety of vulnerability scanning rules written in the program time scan depth breadth traversal, your site today on a loophole, tomorrow he may know, the second he can launch a dictionary of brute-force attack, the IP for them is a piece of cake . So, in the beginning you have to have precautions, graphics verification code, rate Limiter,form Token, signature ...
4. security problems are often a number of small problems superimposed together , so do not feel that this problem does not matter that matter, want to not repair the repair, and finally dikes Yixue.

1.1. You can't see, you can't see: Deceiving developersAre you sure you won't do anything like this? case one: PPS+ Web version forgot password function: + + thoughtful to achieve the "Resend password retrieve email" function. Unfortunately, in the URL,The email parameter used to receive the message is clear text, wtf?! + + The password reset message for any user can be sent to the specified mailbox. Figure 1 Recover password-Case 1 Figure 2 Recover password-Case 1-Change the email parameters, change to my mailbox, uid unchanged case TWO: handle net+app in the forgotten password function: + + First, through the packet analysis, found that the password reset interface can also be WEB access, second, fill in the mobile phone number submission, server-side response,contains the text message verification code, although it is in the comments in JavaScript, when I can't see? Figure 3 Recover Password-Case 2 + + This is not a case. If the third-party payment platform payment is also done. case THREE: Walk show net+ Walk show net buy Forget password function + + click forgot Password, select enter mobile phone number reset, click to get Verification code, with Firebug pay attention to observeAJAX request from browser, verification code coming up, God.: Figure 4 Recover password-Case 3 + + enter this code directly to reset the password. case FOUR: The big story, the new network interconnection+ Web page forgot password function + + pages on the screen although the asterisk blocked email address, very intimate, butthe HTML document constructs a form parameter that uses the mailbox plaintext string, resulting in the May 12, 2013 Tudou domain name being hijacked, leading the international famous Big case: Figure 5 Retrieve the password-cases 4 Figure 6 Recover password-case 4-white hat has special tools, find the keyword is easy to Figure 7 recover password-Case 4-Change form parameters from the new submission figure 7-1 Recover password-Case 4-Successful access to the Tudou domain name management + + similar cases: Wooyun: Hexun Modify any user password vulnerability. case FIVE: Sohu network+ Web version retrieve password function + + to answer "password question" when retrieving password, but engineerwrite the answer in plain text in the JS check function of the TEXTAREA control, fainted, the engineer is really simple; + + thus can reset any Sohu user password; Figure 8 Recover password-Case 5 case SIX: Station+ Web version retrieve password function + + sent to the mailbox Reset Password link, Token a look is timestamp, accurate to the second, so can be easily constructed; Figure 9 Recover password-Case 6 1.2. You can see, then I MD5 you can't see: Too young Too Naive's developersSome engineers look at the introduction of the textbook may be too old, the content is outdated, so Always think MD5 () is an artifact, but in the MD5 blasting library is equivalent to clear text. case seven: Odd Tiger+ Web version back password function: ++360 password in the mail, reset password address format: http://i.360.cn/findpwd/setpwdfromemail?vc=% a MD5 encryption string%&u=blabla%40gmail.com; + + Use the MD5 blasting library reverse decryption found that the MD5 cipher string is a similar to 1339744000 of the number, much like a Unix timestamp; + + White hat further verification after guessing, when the user retrieve the password, The system will be the Unix timestamp at this time, with the account binding, recorded in the password reset queue, modify the user's password will verify the input VC parameters; + + seems reasonable, but 360 engineers ignore a detail: if this timestamp is a new generation, the attacker can be in a certain period of time to brute force, Given any mailbox, you will soon be able to work out a valid reset password link; Figure 10 Recover password-case 7-MD5 (timestamp) case eight: TripAdvisor+ Register to activate the Mail function: + + registration of a cattle network, the system issued by the registered mail, the activation URL, the ID parameter is actually the user's userid, can traverse, the str parameter is MD5 (ID) encryption string, as shown; Figure 11 Recover password-Case 8-integer USERID,MD5 ( UserID) Figure 12 Recover password-Case 8-ciphertext input MD5 blasting library immediately get the plaintext truth + + to be able to register any mailbox and activate, or traverse all integer ID activations. case nine: Sina secondhand Housing+ Web version recover password function: + + click forgot password, randomly enter a user name, through Firebug observation AJAX packet, notice the server side returned a JSON string, is obviously a mobile phone number, was MD5 a: Figure 13 retrieve the password-case 9-ajax returned the user name Corresponding mobile phone number, MD5 equivalent to clear text + + in the cell phone number input box to enter the decrypted number, the focus shifted, the browser launched an AJAX request to obtain a digital verification code (this is God horse logic?). wtf! ) Figure 14 Retrieve password-case 9-OK, the digital verification code is also MD5 a ++md5 blasting library before, all are clear text, then get the digital verification code is 234589, after the input successfully reset password. 1.3. Only Token:too young Too naive's developersSome engineers are really simple, and they may introduce parallel permissions vulnerabilities in various business scenarios.   In their eyes, on the server side check the input parameters Checkcode or token or VI parameters, it is very impressive, verified, do anything, so token is issued to user A, but can change user B data. What is a parallel permission vulnerability? I lift a chestnut.

2012, you register a NetEase mailbox, after the successful registration will jump to a binding phone security prompt page: Note The UID in the link parameter, it will be changed to other people's NetEase email address, enter your mobile phone number on the page to submit. The target NetEase mailbox successfully was ultra vires bound the secret insurance handset.

This is a parallel permission vulnerability, or "ultra vires." Case 10: Identity Pass+ Email back password function + + Reset Password link sent to the corresponding mailbox, the link is as follows: http://www.idtag.cn/regionTempAction.do?method=resetPassword&idtagCard= User ID value &authcode=go8k7yp4twy&rtemail= e-mail address + + after grabbing the packet, see a true truth similar to: org.apache.struts.taglib.html.token= 83accc27d5178f832d9f22a1d02bdacf&org.apache.struts.taglib.html.token=83accc27d5178f832d9f22a1d02bdacf& Rtpassword=123456&passwordw=123456&rtemail= mailbox &idtagcard= User ID ++token unchanged, try to change the user ID, submit the request again, Wow, successfully reset the password: Figure 15 Recover password-case 10 Case 11: OPPO+ Use the binding mobile phone number issued short inspection recover password function + + go normal process, input received short and new password submission, grab package, checkcode unchanged, change the user name to any account, re-submit, successfully reset password; Figure 16 Recover password-case 11 Case 12: Ctrip Travel Network+ Use the email reset password function + + click on the system to send to the mailbox reset password link, reset the password and grab the package: Figure 17 Retrieve the password-case 12 Figure 18 Retrieve the password-case 12-found UID A + + Yes, the UID parameter identifying the user identity is found in the POST data, and the UID in the password re- Second step, the system will be "active" provided to us (see Figure 17); + + we use the Firefox plugin livehttpheaders, use it to modify the POST form parameters and replay function, modify the Uid, submit the form; + + successfully resets the password for another user. 1.4. Trust client Calibration Kid, you're in danger.The white hat has the very convenient tool to debug, can intercept Response, can replay, this client not only refers to the browser, but also includes the mobile App. case 13: le Bee net+ Use mobile phone number to retrieve the password function; + + Enter the network supplier management system, click on the forgotten password, enter the user name admin, select the phone to retrieve the password, feel free to fill in a short test, and then click Next, at this time grab the package: Figure 19 Retrieve the password-case 13-write a verification code to fill in Figure 20 Retrieve password-Case 13-Truncate the returned packet + + after repeated testing, the return code in the change to 102 can be bypassed, the server-side response, directly to the Reset Password page: Figure 21 Retrieve the password-case 13-Modify the Body value + + successfully reset. Similar cases include: Wooyun:oppo reset any user password Vulnerability (4). 1.5. Play cookies play with the kidsWhite hats are battle-hardened, with all kinds of internet company's various levels of siege lion wits, so they have summed up a lot of breakthrough mode. One of these is the conversation overlay, which specializes in children who like to store a mess in a Cookie. Case 14: Poly American Excellent products+ Use the mailbox to retrieve the password function; ++1, use the browser to find your own United States excellent product account password, choose to verify the identity of the mailbox, ++2, your mailbox will receive an email, but do not click on the Reset Password link, but you can notice that the link does not have account information parameters; + + 3, the same browser to continue to use the Recover password function, this time to retrieve the target user's password, but to the following step after the stop: Figure 21 Retrieve the password-case 14 ++4, still in the same browser, (otherwise it will not be), open the second step we received the Reset Password link: Figure 22 Recover password-case 14 ++5, fill in the new password, submit, okay, successfully reset the target users of the United States of the best product password: Figure 23 Retrieve the password-case 14 Figure 24 Retrieve the password-case 14-Done 1.6. No rate limiting is stupid.Critical business do not commit frequency threshold to prevent, is stupid, waiting for someone else to explode it.

reference case, Wooyun: Dangdang arbitrary user Password Modification Vulnerability , and some do the frequency limit but bypassed the classic case,Wooyun: Any user password modification vulnerability , it limits the number of submissions, but there is a logic problem, You can bypass the phone number string by putting some characters behind it.

Well, there are so many cases, let's review:

• Client-submitted information, the information stored by the client, may have been tampered with;
• White hat is a programmer, they have a lot of tools, it is easy to find loopholes, tampering with data and replay;
• integer IDs can be traversed;
• MD5 Encryption string can be reverse-blasting;
• JS Check is unreliable, can be bypassed;
• every internet site has the ability to retrieve passwords, seemingly simple, but for Web development engineers, it is not so easy, it can look at what you are an engineer, how far you can go in the future.

  Finally borrowed cloud knowledge from the   bma  collation of the common weaknesses of the recovery password:

Password retrieval credential is too weak, such as four-bit digital verification code, easy to be exploded Password retrieval credentials can be obtained directly from the client, URL Password retrieval voucher can be obtained directly from the source code of the Web page. Password retrieve the mailbox link Yiche solution, such as the MD5 of time Skip verification steps and get back to the setting up new Password page Password retrieval credentials are not just issues with individual users and bindings Token returned when resetting the password is not bound to the account and verification code Password back to the phone or mailbox can be obtained from the page, so can be modified by Firebug Modify user ID to another user ID when submitting a new password A verification code is sent when the password is retrieved without verifying that the user name matches the mailbox on the server Verifies the server's return information locally, determines whether to perform a reset password, but returns information that is controllable, or what can be obtained The action of sending verification information such as SMS is performed locally and can be controlled by modifying the return packet An injection vulnerability exists at the back of the password

His suggestion is: Retrieve password credentials to be enough complex and not to guess, any check action is placed on the server side, the verification parameters of the transmission to do a good job of encryption, while filtering parameters.

That's it. Reference Documents:1, 2015, dark cloud Knowledge Base, Password retrieval logic vulnerability summary; 2,2014, Zheng, the little friends of the stupid cry of those things: Retrieve the password, 3,2013, Zheng, the Basic principles of web development-55 record-web access security; 4,2012, Zheng, 5·12 and 6 · 172 Famous website domain name hijacked event implementation process replay; 5,2011, Chenhao,will you do the user login function on the web? ; 6,2015, Zheng, security basic education First quarter: The fortress was breached from within;-eof-

Security basic Education The 1th episode of the second quarter: the repeated defeat of the recovery password