Building spamming secure app using token system

Token system can be used to avoid spamming. Using token , the server side code will be able to authorize the request before processing.

1. Create the token[long alphanumeric number] on page load on server side and send it to client where it will be a hidden input.
2. Create a session-variable and store the token value in it.
3. Client when requesting again will send the hidden input token with HTTP request.
4. On server side the session-variable token and the token from client side will be match.
5. If matched then process the request and create a new token again and also store it to session-variable.
6. if not matched the throw error message.

Try the application. Below is the Demo link and the source code.

Demo Download source

Spamming vulnerable application

Spamming is the common issue found in the web apps. Mostly the modules of the application like notification sent on “email/phone” or operations performed like “database insertion/file creation on server” are the places where spamming can me done when vulnerable.

If the application is not able to identify the forged request and the same request is entertained by the application several times then the attacker can use it to spam a registered user or any user depending upon the applications behavior.

Below is the demo link and source to the spamming vulnerable app.

Demo Download source

Email notification service can be used as an Email bomber

Now a days every app has a module for notifying users through email. The same email module/service when written less carefully can lead to serious misuse by the attacker. Attacker can spam the inbox of any user when the app is vulnerable to this issue. Below is the example of vulnerable webapps test with explanation.

Suppose the reset password functionality is vulnerable to email bombing.

url – https://example.com/lost-password

Open it and you see a form to notify you by email. try putting email and send. Monitor and capture the request.

For now i take below headers:

POST /lost-password HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/lost-password
Cookie: lang=en; xyz
Connection: keep-alive
Upgrade-Insecure-Requests: 1

POST data
action=send
email=test@test.com

Looking at the header and body , we can see that their is no way for the web server to track user or to validate the genuine request. So we can replay the same request with different POST data using any client.

Continue reading

crawler4j example | java web crawler

Why to write the whole thing from the scratch if the same thing is already available ? Better to build on top! Isn’t it ?

Framework says : Concentrate on your objective rather then supporting things needed to accomplish the objective. Framework provide the facility and tools and expect the programmer to build the things on top of it.

crawler4j is a framework to that provide multi-threaded crawler with some extra features like Logging, customization’s, crawling password protected sites etc.

Here is a small example of starting with crawler4j.
Build env :Maven

Continue reading

html input hidden field poor usage can lead to major Web vulnerability

E-commarce, Online Premuium Service providers and many others uses payment medium to get the payment using CC,Net Banking etc. Payment Gateways are the Integration layer between the web application and the Banking service layer. These gateways are mostly the loosely coupled,third party source code provided by the authorized Payment Gateway Providers. Ex of Payment gateways are paypal,authorize,securepay.

Once i found a serious issue on all the bharatmatrimony.com applications. The payment medium was suffering from CSRF that was leading to access to their premium services for free. I contacted the organization regarding the same and reported the issue upfront. Although I wasn’t expecting any thing much in return but being a very good startup , they should have given something for the the issue that may have lead to a serious loss to them. Those greedy , smart executives pulled out all the Bug information from me and called me cya in the end. 😛

On the similar line , the demo issue is explained below.

Continue reading