database - Dave's Blog

Search

Stripe CTF - XSS, CSRF (Levels 4 & 6)

2012 Sep 10, 4:43

Level 4 and level 6 of the Stripe CTF had solutions around XSS.

Level 4

Code

> Registered Users 

  • <% @registered_users.each do |user| %>
    <% last_active = user[:last_active].strftime('%H:%M:%S UTC') %>
    <% if @trusts_me.include?(user[:username]) %>

  • <%= user[:username] %>
    (password: <%= user[:password] %>, last active <%= last_active %>)
  • Issue

    The level 4 web application lets you transfer karma to another user and in doing so you are also forced to expose your password to that user. The main user page displays a list of users who have transfered karma to you along with their password. The password is not HTML encoded so we can inject HTML into that user's browser. For instance, we could create an account with the following HTML as the password which will result in XSS with that HTML:

    
    
    This HTML runs script that uses jQuery to post to the transfer URI resulting in a transfer of karma from the attacked user to the attacker user, and also the attacked user's password.

    Notes

    Code review red flags in this case included lack of encoding when using user controlled content to create HTML content, storing passwords in plain text in the database, and displaying passwords generally. By design the web app shows users passwords which is a very bad idea.

    Level 6

    Code



    ...

    def self.safe_insert(table, key_values)
    key_values.each do |key, value|
    # Just in case people try to exfiltrate
    # level07-password-holder's password
    if value.kind_of?(String) &&
    (value.include?('"') || value.include?("'"))
    raise "Value has unsafe characters"
    end
    end

    conn[table].insert(key_values)
    end

    Issue

    This web app does a much better job than the level 4 app with HTML injection. They use encoding whenever creating HTML using user controlled data, however they don't use encoding when injecting JSON data into script (see post_data initialization above). This JSON data is the last five most recent messages sent on the app so we get to inject script directly. However, the system also ensures that no strings we write contains single or double quotes so we can't get out of the string in the JSON data directly. As it turns out, HTML lets you jump out of a script block using no matter where you are in script. For instance, in the middle of a value in some JSON data we can jump out of script. But we still want to run script, so we can jump right back in. So the frame so far for the message we're going to post is the following:

    
    
PermalinkCommentscsrf encoding html internet javascript percent-encoding script security stripe-ctf technical web xss

Stripe CTF - SQL injections (Levels 0 & 3)

2012 Sep 5, 9:10

Stripe's web security CTF's level 0 and level 3 had SQL injection solutions described below.

Level 0

Code

app.get('/*', function(req, res) {
var namespace = req.param('namespace');

if (namespace) {
var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
db.all(query, namespace, function(err, secrets) {

Issue

There's no input validation on the namespace parameter and it is injected into the SQL query with no encoding applied. This means you can use the '%' character as the namespace which is the wildcard character matching all secrets.

Notes

Code review red flag was using strings to query the database. Additional levels made this harder to exploit by using an API with objects to construct a query rather than strings and by running a query that only returned a single row, only ran a single command, and didn't just dump out the results of the query to the caller.

Level 3

Code

@app.route('/login', methods=['POST'])
def login():
username = flask.request.form.get('username')
password = flask.request.form.get('password')

if not username:
return "Must provide username\n"

if not password:
return "Must provide password\n"

conn = sqlite3.connect(os.path.join(data_dir, 'users.db'))
cursor = conn.cursor()

query = """SELECT id, password_hash, salt FROM users
WHERE username = '{0}' LIMIT 1""".format(username)
cursor.execute(query)

res = cursor.fetchone()
if not res:
return "There's no such user {0}!\n".format(username)
user_id, password_hash, salt = res

calculated_hash = hashlib.sha256(password + salt)
if calculated_hash.hexdigest() != password_hash:
return "That's not the password for {0}!\n".format(username)

Issue

There's little input validation on username before it is used to constrcut a SQL query. There's no encoding applied when constructing the SQL query string which is used to, given a username, produce the hashed password and the associated salt. Accordingly one can make username a part of a SQL query command which ensures the original select returns nothing and provide a new SELECT via a UNION that returns some literal values for the hash and salt. For instance the following in blue is the query template and the red is the username injected SQL code:

SELECT id, password_hash, salt FROM users WHERE username = 'doesntexist' UNION SELECT id, ('5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8') AS password_hash, ('word') AS salt FROM users WHERE username = 'bob' LIMIT 1
In the above I've supplied my own salt and hash such that my salt (word) plus my password (pass) hashed produce the hash I provided above. Accordingly, by providing the above long and interesting looking username and password as 'pass' I can login as any user.

Notes

Code review red flag is again using strings to query the database. Although this level was made more difficult by using an API that returns only a single row and by using the execute method which only runs one command. I was forced to (as a SQL noob) learn the syntax of SELECT in order to figure out UNION and how to return my own literal values.

PermalinkCommentssecurity sql sql-injection technical web-security

Hitchhiker's Guide To The Galaxy Remake - AGS Games Database

2011 May 14, 3:31Fan remake of the Infocom HHGTTG text adventure as an adventure game.PermalinkCommentshhgttg game videogames adventure-game

Database - WEBAPPS

2010 Mar 5, 10:21Document explaining the relationship between the various web storage APIs coming out of HTML 5. To summarize:
Web Storage (aka DOM Storage) - simple key/value pairs API.
WebSimple DB API - now called Indexed Database API.
Indexed Database API and Web SQL Database - competing database APIs.
Application Cache - Storage of HTTP resources for offline apps.
DataCache API - A programmatically modifiable Application Cache.PermalinkCommentshtml html5 standard programming technical wiki w3c database storage web

Indexed Database API

2010 Mar 5, 9:32PermalinkCommentsapi database html html5 specification w3c web programming technical

Are you new to "Hadoop"? Settle in...

2009 Oct 8, 4:59A brief introduction to Hadoop, its history, subprojects, and current statusPermalinkCommentsvia:pskomoroch hadoop introduction google yahoo facebook database technical

Map/Reduce Tutorial

2009 Oct 6, 3:24The map/reduce tutorial for Hadoop the Apache open source project. "Hadoop Map/Reduce is a software framework for easily writing applications which process vast amounts of data (multi-terabyte data-sets) in-parallel on large clusters (thousands of nodes) of commodity hardware in a reliable, fault-tolerant manner."PermalinkCommentshadoop mapreduce java software programming opensource database distributed google yahoo apache technical todo

Google Research Publication: MapReduce

2009 Oct 6, 3:18PermalinkCommentstodo mapreduce algorithm google paper distributed database technical

fontplore // an interactive application designed for searching and exploring font databases

2009 Jul 31, 6:09An interactive touchable table to help you browse and select fonts.PermalinkCommentsart visualization design font typography surface table touchscreen video

Blog Layout and Implementation Improvements

2009 Jul 19, 11:44

Monticello, home of Thomas Jefferson, Charlottesville, Va. (LOC) from Flickr CommonsI've redone my blog's layout to remind myself how terrible CSS is -- err I mean to play with the more advanced features of CSS 2.1 which are all now available in IE8. As part of the new layout I've included my Delicious links by default but at a smaller size and I've replaced the navigation list options with Technical, Personal and Everything as I've heard from folks that that would actually be useful. Besides the layout I've also updated the back-end, switching from my handmade PHP+XSLT+RSS/Atom monster to a slightly less horrible PHP+DB solution. As a result everything should be much much faster including search which, incidentally, is so much easier to implement outside of XSLT.

PermalinkCommentsblog database redisgn xslt mysql homepage

Misattribution - Anne's Weblog

2009 Jun 8, 3:58"Everyone can file bugs against HTML5, including you. To be clear, that something is filed in the W3C bug database does not mean it is likely it will be included."PermalinkCommentshtml5 blog bug html w3c

LDC Catalog - Web 1T 5-gram Version 1

2009 Mar 16, 4:22"This data set, contributed by Google Inc., contains English word n-grams and their observed frequency counts. The length of the n-grams ranges from unigrams (single words) to five-grams. We expect this data will be useful for statistical language modeling, e.g., for machine translation or speech recognition, as well as for other uses." 6 DVDs for only $150 with licensing restri... ok nm.PermalinkCommentslanguage google statistics database text

IE8 Beta1 Feedback

2008 Mar 5, 1:33Bug tracking database for IE8 Beta1.PermalinkCommentsie ie8 microsoft bug

Reuters Wants The World To Be Tagged - ReadWriteWeb

2008 Feb 8, 3:24FTA: "...Using a mix of natural language processing, AI techniques, and a massive databases, Reuters' solution extracts important bits of information from raw HTML pages. People, Companies, Places, and Events are really at the heart of many business articPermalinkCommentsvia:sambrook api reuters news tagging semantic semantic-web web

Main Page - Gutenberg

2008 Jan 5, 10:39Project Gutenberg is a directory of public domain literature.PermalinkCommentsarchive books fiction database directory literature writing free gutenberg public-domain

My Stuff - Swivel

2008 Jan 3, 12:29This is me on Swivel a site like Many Eyes that does social data table and data table visualization sharing.PermalinkCommentsproldfile me data database visualization social

Symbols.com - Home

2007 Sep 4, 1:53Database of symbols and their meaning.PermalinkCommentsbook purchase reference symbols language dictionary index database free encyclopedia

Technophilia: Where to find public records online - Lifehacker

2007 Jul 23, 3:19List of sites to find public information on folks.PermalinkCommentsbackground search database birthday library identity privacy public phone lifehack

Checkers Database

2007 Jul 20, 9:09Checkers has been solved. All possible moves have been mapped.PermalinkCommentscheckers solution csc game games

Home : Nature Precedings

2007 Jun 18, 10:49"Nature Precedings is trying to overcome those limitations by giving researchers a place to post documents such as preprints and presentations in a way that makes them globally visible and citable."PermalinkCommentsscience research journal nature database collaboration archive community
Older Entries Creative Commons License Some rights reserved.