A real-world web site crack before your eyes

David M Williams
Thursday, 13 November 2008 18:42

Opinion and Analysis

Can I log in to these sites without an account? To find out I entered a username of fred' or 1=1 -- on both forms.

The answer is yes. Site A took a brief while to log in – perhaps having many users in its table – but let me in and duly gave me a list of orders I, or rather the account it logged me in as, had made.

It was quite a jackpot, too. It seemed I had probably every order on the site listed. This stands to reason; as I said, the first user in the user table is often the administrator. The first bunch of orders appeared to be test data, but just scrolling down the table listed orders placed by D L Rogers Corporation, Muse Lifestyle Group, American InterContinental University, American Golf, Best International USA LLC and more.

Clicking these orders let me see the Site A staff member who took the order – Ms S Wells, in some cases – plus the order number, the client name, contact person and contact details. I could see the details of the orders (eg, $500/month) plus the client's terms and conditions.

If I were looking for an SMS gateway to send my online messages through I may be somewhat concerned by this. Now, Site A had not included any message on their login page – or after logging in – that stipulated unauthorised access was not permitted but that's a topic for another time.

Back to Site B, I also logged in effortlessly. Actually, this site did have a bit of JavaScript to validate that a password had been entered. A nice touch, but a bit in vain, because I could still log in using the username as specified above and any old password.

There was no clear facility to view past orders but I most definitely was given the product catalogue and could place an order (as Greenspun & Mann of the city of Fairfax in the state of VA) if I so desired.

Obviously, I did not print or copy any of the data I saw, nor place any orders. Further, I have e-mailed the contacts for both sites to advise them of this grotesque weakness on their sites.

Although I gained access to these sites, what I have described above really only scratches the surface. I could go further and actually work out what the table structure is of the databases in use which would permit even more nefarious activities.

For instance, using a username of fred' having 1=1 -- on Site A gives this error:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'Sales_Rep.RepID' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/Orders/OrderForm.asp, line 43

So, now I know they have a table called Sales_Rep with a field RepID. Further tweaking the username would reveal more and more information. Finally, I could even query these tables to actually divulge genuine usernames and passwords.

Basically, the site is mine. Fortunately, I'm one of the good guys.

Make sure your site is not similarly exposed. This is how SQL injection works, and as you've seen, anyone at all with access to Google and a small bit of knowledge can break in with seconds of effort.