Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Price input 'hack'
Posted by: _Andy
Date: February 25, 2010 10:45AM

I found a trivially located hack in a site I'm testing.

Basically at one point data is sent to the server that includes a 'price' value and a 'price_hash' value. Now, if you mess with the price value you get the expected error due to the hash. However if you put through an order for £10 worth of goods, record the hash, restart, fill up with huge amounts of product then replace the new price and hash with the £10 ones....well, you can guess the rest.

What I was curious about was if it'd be possible for me to gather examples of prices and their associated hashes and brute force them to, for example, produce a hash for $0, or a negative value and have them invoice me negative amounts. :)

As you can gather, I'm not really that clued up on encryption (it's one of the things I instantly forget about after I'm done using it) so any advice is appreciated.


Input examples:

17.50 7C8E283FF7133E2E2872C63B8195F925
10.00 F943DC9D1234331A2069365038506EEB
30.00 E0AB069FC2D5529AD907E0A6D57EEC51
35.00 60ABFA6AC3CBAC82826D44F06E0F8A83
40.00 76595D0C6D3FEDE0CBD1F8ECA2EACDA9
45.00 02517D0681943C8819175EE33C9CA106
50.00 D0616CC0066BFE5DDB965FABA90F5038
55.00 1E08B86F83A4EBDCD4BC16906BD61A68

Edit: Apologies if this is the wrong forum, I wasn't sure where'd be best.

Edited 1 time(s). Last edit at 02/25/2010 10:47AM by _Andy.

Options: ReplyQuote
Re: Price input 'hack'
Posted by: lightos
Date: February 25, 2010 11:16AM

It's MD5 probably using a salt. The salt could be anything, from your IP address to some random variable. I would first figure out if the salt is static or if it's based on something dynamic and changes each time you visit the website. If anything, you could always try to bruteforce the salt.

Options: ReplyQuote
Re: Price input 'hack'
Posted by: _Andy
Date: February 26, 2010 03:02AM

Thanks for the reply.

I've repeated it again this morning and the hashes are the same for all of the values I tried. It's probably worth trying from a different IP though, I hadn't considered that.

Out of interest, I'd originally assumed the hashes would be unique to each transaction, so you wouldn't be able to do something like this. Is that right, or am I getting it confused with something? I'll have a dig about, I know I have a cryptography book kicking about somewhere.

Options: ReplyQuote

Sorry, only registered users may post in this forum.