Tuesday, March 11, 2008

Word verification ....

This ones comes from a video download site. A first step "no-no" for word verification. You can find that as first "Don't" in word verification steps book.

What is word verification:
Word verification is term called for verification of a word displayed in a image (most commonly). Users are asked to type the string displayed in image and server checks whether input is correct.

Why word verification:
Used to disallow hacker (Only till we come up with algorithm to identify word in the image) to write automation code to create a bulk of accounts, task which can cause server to be overloaded or out of account. A common practice used across many site.

Screen shot asking for word verification:

What's wrong with this one:
This site ask for word verification, and to reduce the server traffic (I guess), it also send the correct string in the same packet. When I saw that yesterday, you can view the correct string in the page source code.

Code is displayed in page source:
However that is fixed today, so when you view page source, its downloaded from server and displays the incorrect string. (actually page source is fake). But if you capture the packet
you can get the actual word. So can still get the word and write automated script to overload server with fake download request.

Old saying: "Security of whole setup is equal to weakest link in it!"

Thursday, February 28, 2008

Orkut Cookie ...(2)

Orkut cookie vulnerability is sent to orkut team.

Wednesday, February 20, 2008

Orkut cookie Vulnerability

If you wonder on the gmail cookie vulnerability exposed by sidejacking, orkut has things easier for you! All you need is to sniff some packet, get the cookie out of it, set in and your are done.

Orkut login works over a secure SSL channel but after the login, its falls back to non secure traffic. Another example of "secure login - unsecure data". Even during the login, orkut cookie is set using non secure channel. Only to set gmail cookies (LSID, GALX), its uses secure HTTPS.

Orkut uses two cookies - orkut_state and OSN for validating the login. If one can sniff or get these two cookies (using wireshark , sidejacking or by some other way), they can add them in the browser (using firefox cookie editor or some other tool) and finally open orkut website. This will log you in directly into victim's account. Once logged in, you can act as victim, view his/her gmail address book and may be much much more !!

How Orkut gmail login works:

When you use your gmail account to login to orkut, its redirected to go
ogle mail redirect login page, which sets orkut cookie over HTTP and gmail cookie (LSID and few others) over secure SSL. So even if SSL is enabled and sidejacked is not possible for google mail account, you can still login to orkut account.

Few snapshots to show this (actual cookie data is hidden. I can't decipher it, but just in case someone could ;-)
Some one captures the packet:
(Packet data captured using wireshark. Here we can get all cookies requied (in just one captured packet).)

Add the cookie in his browser cookie:
(Added the cookies using cookie editor)
And that's it. Now when he open orkut.com, he will gain access your account.

Point is you can not secure accounts by only using secure login. In order to be completely secure, all data should be transfered using a secure channel (with no fall back to non secure if SSL fails).