Paid Advertising
web application security lab Challenge Logic Flaw

After the fallout of the challenge a few interesting things happed. A backup of the .htaccess file was found, an XSS hole through a cookie value pair that I forgot to sanitize and most interestingly a way to actually hack the test! I’ve told people before, there aren’t many people on the Internet who I think could hack just about anything - but Stefan Esser is definitely one of them. He found a rather interesting logic flaw in the test, that I wanted to share.

The challenge dealt quite a bit with cookie tampering. Since some people still may not want to have this spoiled for them, I’m removing the actual values. But what Stefan submitted was "admin=…;admin=…;admin=…;admin=…;admin=…;admin=…;" Why would that work? Well let’s look at the logic of the rather poorly written application (modified slightly for readability and to keep the cookie values cloaked for anyone who still wants to try the test):

  if ($cookie_name =~ "admin") {
    if ($value =~ "…") {
      print " - Yes!";
    } else {
      print " - No. Sorry, try again.";
  } elsif ($cookie_name =~ "NotGettingIt") {
    if ($value =~ "…") {
      print " - Yes!";
    } else {
      print " - No. Sorry, try again.";
  } …

There are six cookies that need to have the correct value. But if you look at the logic, what happens is that since Stefan put the same value over and over, it never made it to the next question. The value still added up to 6 which is what the application was looking for, and voila - he submitted the answer without ever completing the challenge. He hacked the test (not the server). Very clever. What did I do to fix this? It was just a matter of holding state and not letting it answer the same if statement twice. Pretty trivial to fix. But this test was not designed to be a well written app - faaaar from it.

In fact one of the reasons this is actually fairly relevant is because I’ve seen a few apps written like this in how it looks at cookie values. In particular it looks at the entire cookie string and says if you see some value _anywhere_ in the cookie string it acts one way. This can give you insights into how the application works. So yes, it was a very poorly written app on purpose, but Stefan found one thing that actually wasn’t on purpose so huge props to him. Very cool.

14 Responses to “ Challenge Logic Flaw”

  1. DoctorDan Says:

    Impressive! Hats off to Stefan!

  2. crash Says:

    What’s funny about this is that I was fired recently for doing just such a similar task. I used to work for an AT&T subcontractor and was subjected to taking tests that were not revelant to my position nor anyone else in the callcenter. I was tired of just using tab and the arrow keys to cheat. So I decided to bypass the test part and write code to submit the value necessary for me to pass with a 100%. I was successful in this task but since I read the source code of the test I was in violation of my NDA. Instead of intelligent people saying “hey this guy just helped us find a weakness of our software” I was branded as a cracker and let go. I’m happy to see you present this in a positive light instead of saying that some hacker cheated and needs to pay. Since curiosity is the reason we live in the comfort we do today.

  3. ChosenOne Says:

    neat :)

  4. just a lurker Says:

    it wasn’t a flaw in your code it was a feature ……. according to an inside source at google :|


    the good news is that mozilla say they can fix it for yah in 10 fuckin’ days :D

  5. AviD Says:

    Hey! Cmon!
    I did the same thing as Stefan, too!
    Not that I’m belittling his achievement - he did do it before me, and apparently more so (I had a few legit values, and filled in the rest with additional answer=…).

    But I want my special mention too! ;-)

    (Okay, I admit I did it as a cop-out, since I couldnt figure the rest of the riddle… but still…!)

    That said - Thanks RSnake, was a great challenge! Had fun with it… Can’t wait for the next one! (Btw - the advance heads up was a great idea. Assuming you gonna continue with the challenges, please let us know ahead of time again.)

    Avi D

  6. RSnake Says:

    Haha, awesome… Well nice job to you too then! :)

  7. hackathology Says:

    Learnt something here again. Nice one Stefan!

  8. Awesome AnDrEw Says:

    Pretty nice deal, Stefan.

  9. kooldude Says:

    how do i get it to work i mean where do i put it

  10. RSnake Says:

    If you read the post - I close the hole. But you would have modified your cookies to exploit it if it had been open. If you don’t know how to do that, you should probably read up on how to use a proxy, like Burp proxy or Paros proxy for instance.

  11. kooldude Says:

    how do i do it where do i put it

  12. RSnake Says:

    Like I said, use burp proxy. If you don’t know how to use burp proxy anything else I tell you wouldn’t make sense. Once you start looking at the headers you will understand a lot more. Change the options so you can see the server’s headers as well, and look for the Set-Cookie header. Or you can just change it on every request in the Cookie header.

  13. Spyware Says:

    You can complete this challenge more easy if you use two plug-ins for firefox. Add ‘n Edit cookies, which is used to, you know… add ‘n edit cookies. And a tool called “Live HTTP Headers” which shows and lets you edit the headers. I can recommend both plug-ins.

  14. comperr Says:

    I prefer tamper data to live http headers