8/7/2019 ATTACKING SCENARIO
1/18
ATTACKING SCENARIO
8/7/2019 ATTACKING SCENARIO
2/18
8/7/2019 ATTACKING SCENARIO
3/18
Hidden Price Field
In this ex. the server stores the price of thetransaction in the form sent back to the client--itis trusting the client
This price is stored in a hidden form field
So you cant see a price field in confir Page But the client/user can view the html source code
for confir form by selecting view|source in thebrowsers menu bar
only visually hidden from the user but areeffectively sent in the clear from the securitypoint of view.
Malicious clients can easily access & modify them.
8/7/2019 ATTACKING SCENARIO
4/18
Order page
8/7/2019 ATTACKING SCENARIO
5/18
8/7/2019 ATTACKING SCENARIO
6/18
ServerSide php script for confir page
8/7/2019 ATTACKING SCENARIO
7/18
Confirmation Page
8/7/2019 ATTACKING SCENARIO
8/18
View|Source
8/7/2019 ATTACKING SCENARIO
9/18
TheHTML code that user can view
8/7/2019 ATTACKING SCENARIO
10/18
8/7/2019 ATTACKING SCENARIO
11/18
Changing the value of hidden field
The attacker can change the value in the hiddenform field from 10 to whatever value he wants.
Then he simply saves the modified HTML to the
disk, Reopens it with a browser,
And finally submits the form with the modifiedprice to the server.
When he clicks yes in the reopened html pagethe http requesttats constructed based on themanipulated form is for $1 instead of $10.
8/7/2019 ATTACKING SCENARIO
12/18
8/7/2019 ATTACKING SCENARIO
13/18
Deduction of Modified Bill AmtAfter the gateway authorizes the card the modified billamt is deducted from the clients account.
8/7/2019 ATTACKING SCENARIO
14/18
curl And Wget Instead of using browser and txt editor
the atkr can use cmd line tools like.
Curl & Wget
These are open source cmd line tools that can beused to generate HTTP requests and other typesof requests in an automated fashion.
Consider this http request
GET/submit_order?price=1&pay=yes HTTP/1.0
This is the request sent by the modified html page
8/7/2019 ATTACKING SCENARIO
15/18
curl & Wget command
This http request can be automatically generatedby issuing the foll curl command
If the form uses GET method
Curl https://www.deliver-me-
pizza.com/submit_order?price=1&pay=yes
If the form uses POST method
Curl dprice=0.01 dpay=yes https://www.deliver-
me-pizza.com/submit_order Wget command for POST parameters
Wget post-data price=1&pay=yeshttps://www.deliver-me-pizza.com/submit_order
8/7/2019 ATTACKING SCENARIO
16/18
Conclusion.. The attacker does not have to traverse through the
order or confir web pages to issue the HTTP requeststo purchase the pizzas.
The server trusts and sends the transaction state
back to the client, By this it gives the client the ability to tamper withthe state
Solutions:(two among many)
1. involves keeping an authoritative copy of thesession state in a DB.
2.sending the authoritative state back to the client
with a signature
8/7/2019 ATTACKING SCENARIO
17/18
8/7/2019 ATTACKING SCENARIO
18/18
THANK YOU