Cenzic 232 Patent
Paid Advertising
web application security lab
« Webappsec Stats
Internal Info Leak Via Google Calendar »

Chat at Work

I’ve ran across this link at some point, and I had thought I had written something about this, however, it appears I never did. If you look at meebo.com you’ll see web2.0 craziness (I guess this got voted one of the top ten Ajax apps out there at some point). Anyway, two thoughts came to mind as I looked at this for the second time.

The first of which is “I bet they don’t have good back end validation because their front end validation is insanely good.” That proved to be right as I now have an account called "<asdf. Secondly, I thought, “If I were going to write an app that allowed me to see everyone’s conversations, this would be it.” Unfortunately, it doesn’t matter how good my security is on my connection. If my girlfriend decides to start using this app, I am basically screwed. Also, this is a pretty great way to bypass corporate firewall restrictions. Interesting app though.

This entry was posted on Monday, April 16th, 2007 at 6:55 pm and is filed under Webappsec. Responses are currently closed, but you can trackback from your own site.

5 Responses to “Chat at Work”

  1. Awesome AnDrEw Says:
    April 16th, 2007 at 7:49 pm

    It’s the jazzy Flash version of AIMOnPSP, and the soon to be released WiiAIM, and I don’t use it as I don’t trust entering my own information into any 3rd party application no matter how safe they claim to be (unless it’s open source and I know exactly where things are being transfered). It’s still a nice way of communicating when a computer isn’t readily available like when I’m on the Wii.

  2. mgroves Says:
    April 17th, 2007 at 5:15 am

    I would be interested in how you a) found their back-end, and b) what method you used to create an account.

  3. Pozdro600 Says:
    April 17th, 2007 at 7:26 am

    Out of curiosity, how do you bypass their client-side verification? When I try TamperData the validation script seems to time out before I submit the modified content. Using LiveHeaders, it doesn’t even seem to be trying to actually talk to the network. Puzzling…

  4. RSnake Says:
    April 17th, 2007 at 8:22 am

    @mgroves - it was pretty easy watching their request headers. Creating an account is part of the normal website function so no magic there.

    @Pozdro600 - I used burpsuite, and I was quick like a bunny to replace the given acceptable username ‘qwerty’ that meets the client side requirements with ‘">asdf’ in the POST string. Relying on front end security is an invitation to hack.

  5. c Says:
    April 17th, 2007 at 11:23 pm

    Fiddler makes this easier - you can write scripts to do the tampering.