NetTalk Central

Author Topic: Link and Hack  (Read 6812 times)

Alberto

  • Hero Member
  • *****
  • Posts: 1873
    • MSN Messenger - alberto-michelis@hotmail.com
    • View Profile
    • ARMi software solutions
    • Email
Link and Hack
« on: March 19, 2009, 08:50:27 AM »
Hi,
Once a user registers for first time, I send him an email to verify he is wanting to register and the email box.
In my firt aproach I add a link in the email like :

http://ServerIP&'/vRegister?USU__ID='&usu:Id&'&Change_btn=Change'&>Click here to finish your registration.</a>

Then I realized that if the user wants he can modify the link and have access to another user data.
Then I crypt the user ID but the link not even shows the user id but also the way the pages are acceced, the name of the page vRegister and the mode Change.

Is there any other way to do it?

Thanks
Alberto
-----------
Regards
Alberto

Rob Mikkelsen

  • Full Member
  • ***
  • Posts: 107
    • Yahoo Instant Messenger - flashpott
    • View Profile
    • Email
Re: Link and Hack
« Reply #1 on: March 19, 2009, 01:41:19 PM »
You could encrypt the user ID in Base64 - it is reversable, but not as obvious as clear text.  Then you would simply have to decrypt it on the other side before proceeding.

I am sure that there are more secure encoding methods, but this is a simple solution and I think the algorithm is already included in NetTalk (or is that XFiles?).

Rob

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Link and Hack
« Reply #2 on: March 19, 2009, 10:19:52 PM »
Hi Alberto,

if you choose a number as your usu:id field, then yes the user could change the url to be another number. But so what? What can the form do that would be malicious to another user?

the first line of attack would be to make the userId say a random 16 character string. Or at the very least a random number, not an auto-incremented number. Trivial to do and either would have a useful effect.

Or, make a new memory table - and in it have a "user id" field, and a (randomly generated) index field. Use the index field in the URL, then on the server map it to the User ID field.

But yes, there's another way.

Simply don't use a form. Use a NetWebPage. Then code the specific functionality you like onto the page. In this case "read user from file, set allowed to 1, write record away". Since this is all the page can do there's no need for the Change button parameter, and the user can't do anything malicious.

TIP: Outlook requires that the text displayed be the whole link and nothing but the link or it will suppress it. This is an anti-fishing measure. So your link cannot have alternate text "eg Click here to finish your registration". It must show the user the complete, and whole, URL.

Cheers
Bruce


Alberto

  • Hero Member
  • *****
  • Posts: 1873
    • MSN Messenger - alberto-michelis@hotmail.com
    • View Profile
    • ARMi software solutions
    • Email
Re: Link and Hack
« Reply #3 on: March 20, 2009, 04:41:45 AM »
Hi Bruce,

Suppouse I crypt the user ID and delete the change_btn of the link, something like:

www.mydomain/form/id=09896875774744

Where in the form must I decrypt the id and fix the action to change?

Thanks
Alberto
-----------
Regards
Alberto

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Link and Hack
« Reply #4 on: March 20, 2009, 05:02:39 AM »
it's not that simple.
A form needs the parameters done specifically the way they're done.

If you want to fiddle, then you need to code it into a netWebPage.

Cheers
Bruce