WAP Web Application Security

Author: lake2 [80sec]
EMail: lake2 # 80sec.com
Site: http://www.80sec.com
Date: 2008-6-10

---------------------------------

[Directory]

0x00 is purely nonsense
0x01 WML and WMLScript
0x02 WML injection attacks
0x03 what can WML injection do?
0x04 WAP site Session Security
0x05 postscript

--------------------------------

0x00 is purely nonsense

I had to use my mobile phone to access the Internet because I lent this book to the beauty of small S. I found that WAP websites also have a certain market. By the way, I learned about Web security on WAP. There seems to be no comprehensive article on WAP Web Application Security, so I will not share some of my experiences with you, but I hope you will give me some advice.

0x01 WML and WMLScript

At present, most WAP websites use WML on pages and also use XHTML. However, this article focuses on WML.
WML is short for Wireless Markup Language (Wireless Markup Language). Similar to HTML, WML is a Web Markup Language. However, HTML allows us to use browsers such as IE or firefox on our computers, while WML is designed for wireless terminals such as mobile phones.
Of course, operabrowser currently supports WML, for example you can use Opera to open Baidu's WAP home page: http://wap.baidu.com, but you use IE, firefox will not see the normal page.
If your mobile phone supports WAP Internet access, its browser supports WML. Well, you may have browsed the WAP website on your mobile phone.
Well, a simple WML Web Page code is as follows:

<? Xml version = "1.0"?>
<! DOCTYPE wml PUBLIC "-// WAPFORUM // dtd wml 1.1 //" http://www.wapforum.org/DTD/wml_1.1.xml ">
<Wml>
<Card id = "no1" title = "Card 1">
<P> Hello world! </P>
</Card>
</Wml>

Visit the above page with a Web browser that supports WML to see the "Hello world" text.
Whether it is HTML or WML, these are front-end display pages. In fact, they are the same in the background and may all be ASP, PHP, JSP, or ASP. therefore, the security issues faced by background programs are those of SQL injection, which will not be discussed in this article.
Er, for more information about WML syntax, refer to here: http://www.w3school.com.cn/wap/index.asp
If we compare WML to HTML, can we compare it to the WAP scripting language of Javascript? Yes, it is WMLScript. But compared with JS, WMLScript function is much weaker, interested can look here: http://www.w3school.com.cn/wmlscript/index.asp

0x02 WML injection attacks

XSS is a major security risk for HTML pages. This is because the parameters output to the pages are not properly processed. As a result, attackers can inject HTML or Javascript code into the pages.
Similarly, if the parameters processed by the background program are not properly processed, the WML page can be injected with any data. This method can be called WML Injection ).
Let's take a look at a simple example. There is such a PHP code (for better demonstration, suppose magic_quotes_gpc = off ):

<? PHP
Header ("Content-Type: text/vnd. wap. wml ");
Echo "<? Xml version = "1.0"?> ";
?>
<! DOCTYPE wml PUBLIC "-// WAPFORUM // dtd wml 1.1 //" http://www.wapforum.org/DTD/wml_1.1.xml ">
<Wml>
<Card id = "no1" title = "Card 1">
<P> Hello <? PHP echo $ _ REQUEST [a]?>! </P>
</Card>
</Wml>

Obviously, parameter a is output directly to the page without being escaped, and a WML injection vulnerability is generated.

0x03 what can WML injection do?

What can XSS do first?
Currently, the biggest problem is that WML injection can insert the WML code change page. Okay, or the previous code, I submitted the following parameter: http: // 127.0.0.1/wap/test. php? A = lake2 </p> <a href = "http://www.baidu.com"> click Login </a> <p> hi, then, the WAP browser will display a "click to log on" link, which actually points to the Baidu homepage. Some WAP browsers do not have the address bar or status bar. In fact, users do not need to click it. WML has a timer tag that allows the page to be automatically transferred at regular intervals.
Of course, WMLScript can be inserted, but not every browser supports WMLScript, and WMLScript is weak. If the browser is Opera, you can use WML injection to execute JS Code.
Where is the classic cookie box? Yes, no. First, because WML/WMLScript cannot read or write cookies at all, and second, many WAP browsers do not support cookies -_-

0x04 WAP Session Security

Yes, because most WAP browsers do not support cookies, the solution of the WAP website is to transmit the string that identifies the session in the URL or form. This string is equivalent to a Cookie. You only need to obtain it to access the WAP website as a user.
It is always dangerous to put session IDs in URLs. You should know what referer is in HTTP. Haha, This is a blue ocean, because many WAP websites are like this. Of course, some WAP browsers will send referer fields, and some will not send-there is no unified standard is very troublesome.
If the session ID is put in the form, it is safer, and WMLScript cannot get the page content, unless we can control the URL submitted by the form-it seems that WML injection is not easy to modify in general. However, such settings are rare.

0x05 postscript

Currently, all major portals have their own WAP sites, and basically all major businesses have corresponding WAP pages. However, few people are concerned about the security of WAP sites. Therefore, this part involves many security issues. In addition to the common WML injection and session hijacking mentioned above, there are also many other attacks. For example, the verification code may exist at the place where the traditional HTML page is logged in, however, the WAP login portal does not exist, which creates a potential risk of brute force password cracking-depending on the specific business application logic. For WAP sites, how can we better ensure the security of Web applications? This is a problem for its security department :)
Not limited to WAP, mobile phones are connected through the GPRS gateway, so the IP address is the gateway. If the mobile phone is used as the terminal for attacks, it is more difficult to trace the source than the PC. In addition, the mobile phone can be used as the Modem, and the computer can use the GPRS gateway to access the Internet through the mobile phone.
With the development of 3G, mobile clients will certainly be attacked in the future, as well as Trojans and rogue software on mobile phones. wireless terminal security is a new challenge. Are you ready for the challenge?