Paid Advertising
web application security lab

Chat at Work

I’ve ran across this link at some point, and I had thought I had written something about this, however, it appears I never did. If you look at you’ll see web2.0 craziness (I guess this got voted one of the top ten Ajax apps out there at some point). Anyway, two thoughts came to mind as I looked at this for the second time.

The first of which is “I bet they don’t have good back end validation because their front end validation is insanely good.” That proved to be right as I now have an account called "<asdf. Secondly, I thought, “If I were going to write an app that allowed me to see everyone’s conversations, this would be it.” Unfortunately, it doesn’t matter how good my security is on my connection. If my girlfriend decides to start using this app, I am basically screwed. Also, this is a pretty great way to bypass corporate firewall restrictions. Interesting app though.

5 Responses to “Chat at Work”

  1. Awesome AnDrEw Says:

    It’s the jazzy Flash version of AIMOnPSP, and the soon to be released WiiAIM, and I don’t use it as I don’t trust entering my own information into any 3rd party application no matter how safe they claim to be (unless it’s open source and I know exactly where things are being transfered). It’s still a nice way of communicating when a computer isn’t readily available like when I’m on the Wii.

  2. mgroves Says:

    I would be interested in how you a) found their back-end, and b) what method you used to create an account.

  3. Pozdro600 Says:

    Out of curiosity, how do you bypass their client-side verification? When I try TamperData the validation script seems to time out before I submit the modified content. Using LiveHeaders, it doesn’t even seem to be trying to actually talk to the network. Puzzling…

  4. RSnake Says:

    @mgroves - it was pretty easy watching their request headers. Creating an account is part of the normal website function so no magic there.

    @Pozdro600 - I used burpsuite, and I was quick like a bunny to replace the given acceptable username ‘qwerty’ that meets the client side requirements with ‘">asdf’ in the POST string. Relying on front end security is an invitation to hack.

  5. c Says:

    Fiddler makes this easier - you can write scripts to do the tampering.