May 2015
« Apr   Jun »

How to avoid unknown security logic flow in Web application

MySQL security flow

Recently I had to work with a HIPPA complaint project and so we will be more conscious about web and application security. I have covered the server security by limit the public access port and installation certain tools like apf, bfd to avoid Web DDoS attack and will be easy since the platform using Amazon EC2 service. After setting up Web nodes, Database servers, while doing on MySQL optimization part I found that most of the data in column are encrypted in Application User table.

Since the project is not moving to production mode, I used to apply some logic to get the user login tables even though users name and password are stored in encrypted format. So that I can get the user login details easily if I have an web access to application database.

1. Credentials I have obtained : Mysql user name and password along with PhpMyAdmin url access.

My Technic

a. I found that users email address are stored in plan text and I can read it. So I replaced the target user account email address with my email address directly over PMA Mysql web access.
b. Next I go to application login screen and find the link for forgot password.
c. I entered my email address there and click on forgot password option.
d. Sooner I received a password recovery link which also provides my user name in that mail body.
f. I could able to reset password and login to that user account and application.

This user account is hacked !! 🙂 using social logic.

How do I hide my activity.

Before doing the activity I had simply saved old encrypted password data in to a text file and users email address. Once I completed the activity I have took the new password data (which reset over the password recovery link) 🙂 So whenever I want to access that user account, I just replace the password field with my password data and done the operations.

Lesson : If you are a Project manager, DBA, Information Security side who work with such kind of application, you must encrypt all the data which can be used for forgot password options like email address, mobile no and security questions and it’s answer. Otherwise you are opening a door to your Team members to provide an opportunity to participate hacking or damage your application reputation/security.

Second story Which I get today

This is the main reason I wrote this post today. Today I got an email one of the marketing people ( working in India) to introduce the new service features. That guy just forward an email he received from his line manager.

It’s content are shown below, (cropped some area)


See the email un-subscription link marked in Red colour.

I just click on the link and it’s open a Godaddy window to un-subscribe the features listed on the screen. It does not ask me any email address which was added in Godaddy list and I just ticked all the features listed. So that person ( one who Godaddy email newsletter used will not receive any email from Godaddy :-). I simply did it for him

This is also a kind of logical hacking since the system designer does not think the way I did.

I mentioned these 2 scenarios for to aware about the weak logic contain in the system claiming the high security on their application.

Moral of the story : a Door will be always be opened in our existing systems until someone explore it. So just keep praying, that “someone” should not be a real “cracker” 🙂

All the best 🙂 and have a secure life

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>