URL Injection to Circumvent Web Security

I have worked as a web developer full-time for the past three years. Before that, I worked as a freelance web developer gaining experience and becoming proficient as a programmer. Over time, I was able to see common themes among websites I was hired to improve. Most websites are not designed with security in mind. In fact, most websites are created with only one goal in mind — to have a presence on the web as cheaply as possible. This creates major complications with the security of these websites.

Most of the time, especially with smaller businesses, I have found that business websites were created by an employee already on the payroll. This employee only had a little bit of programming or web design experience in most cases. This was done because the company didn’t want to hire another employee to handle the website or consult with a dedicated web design company. When websites are created by these employees, they are thrown together and do not work as intended. Features have been added in upon request without security in mind.

When looking at poorly produced websites, they do not pass even the most basic validation tests. Sometimes, these error-filled websites are produced by larger companies that are prominent in certain areas. Thousands of people look at these websites everyday without realizing that their information is at risk. It really bothers me when websites that were not designed with security in mind start to take payments for services. I was appalled when working freelance to find a bunch of high profile clients that were not updating payment services on their websites because it would break features they had hacked into their core.

To me this is unacceptable. When clients put faith into a company and blindly pay over the internet, it should be required by the company to protect their information. There are too many cases of identity theft in the world today to not hold companies liable for identity and data theft.

An example of a company not updating their paid plugins, is the Altoona Mirror newspaper website. The Altoona Mirror is the official newspaper of Blair County in Pennsylvania. This hits close to home for me because I have a lot of family around the area that read the Altoona Mirror. The Altoona Mirror website is located at http://altoonamirror.com and does not transmit data over a HTTPS connection. Their website uses a plugin called MediaPass to collect payment from readers to access their full articles. Each article that includes the plugin transmits data over a HTTP connection even though there is a line on the form that says, “This form is secure.”

This is just a poor implementation of a plugin on a website. The goal of using MediaPass is to get website visitors to pay to continue reading the articles found on the website. There are a lot of newspapers on the internet that are using similar, if not the same exact plugin. The problem is, there is no security in place to prevent someone from circumventing the plugin.

This starts with the website using a HTTP connection. When someone visits the website, their data is sent directly to the server. This means their information can be read by someone through the wireless network. If someone uses a tool like Wireshark, they can sniff the traffic that is being sent to the server and see what the user is sending. Since this is an open connection, that information is not secure. (Pedersen, p. 268) Someone can perform a man in the middle attack and collect all of the information that is being sent.

Since this plugin is included in the page that is not secure, it does not matter if it displays a message saying it is secure. It is not. This could trick users into believing their information is safe when filling out the form. The form itself has a field for all credit card information. This means that all information will be submitted through this form. Since this connects over an insecure connection, there is a way to circumvent this pay to read service.

Since there is no validation of data, one can brute force their way into the website. The way to do this is to trick the server into believing that the payment service has been validated on the other end. Once again, since this is not using a secure connection there is really no way of stopping this from validating correctly.

Making matters worse, the website takes information to load the page through the url. There is a string attached to the end of the url that reads ?nav=742. The number is not the same for all articles. It appears to be random. This is the key to validating the MediaPass plugin. Since this is part of the url, there are no measures in place to stop it from being changed. To exploit the insecure transmission, the correct key would have to be passed through the url. The ?nav= part of the string will have to stay. This is telling the browser to navigate to the correct location.

From here, we are looking at the number in the url. Since this number changes from page to page, there is no sure way to know what the key would be. From a social engineering standpoint, one could watch someone who does have access log in to view an article. They could then observe the url string change to see what was permitting access. Unfortunately, we do not know anyone who has access. So, this will take a brute force algorithm to gain access to the page. Our algorithm will be a depth-first search through the page to find the missing content. This is ideal for a website due to the layout of them and how they are stored using tags. (Luger, 2009, p. 100)

By observing the pages, one can see the number on each page is always three digits. This will be the beginning of the attack. It would take time to go through plugging in random numbers to see if any of them give access to the page. This would take a lot of time. Instead, writing a script to do that would be better. This will save time going through every three digit number combination.

I used Python to create a script to request a url from the internet. This url request would pull the website and look through the content. This is a simple one line package that is included in the Python library. (Python) Using an if statement in the Python language, we can look to see if the MediaPass element is being loaded. If the MediaPass element is actively blocking content on the page, it will be loaded and viewable to the Python program.

This element uses a class with the prefix mp-. This prefix only occurs on the page if the MediaPass plugin is blocking content to the page. Analyzing the content in a browser, it can be tested to see if modifying the CSS will show the content. Blocking this does not show the content. The content is still being loaded through the url query because MediaPass does not hide the content inside of the code. Using this as a starting point, if the mp- prefix is found when Python loads the website, it will increment the number of the string that was added to the url.

So the code will start with a string value of 000. This was chosen because of the three digits in place on other pages. The url will be loaded in Python and it will check for the mp- prefix. If the mp- prefix is found, it will delete the url content and increment the string value by one. So in turn, next it would try 001 and so on. Once it loads a page that does not have the mp- prefix in the content, it will stop searching. It will return the url string value for manual testing.

Using this idea, I was able to crawl through the page and reached a value where there was no mp- prefix found. This was using the number 760. When 760 is the value passed through the url, the MediaPass plugin does not load. It validates the user and the complete article is loaded. This took a few minutes for the program to test and try, but it was successful. I tested the 760 value on a few other articles and it worked for all of the ones I tested. I did this over a period of a few days and it still works.

My original thought was that it would not load every article using the same string, so this worked out better than expected. Since the other pages had different initial values, the assumption was that they would have their own unique key. With this not being an issue, a browser extension could be created to automatically change the value granting anyone access. This is a penetration test that was done to circumvent security protocols. This only works because the server does not use HTTPS when transmitting data. I found a similar site that used the same MediaPass plugin but I was not able to penetrate it because it was using an HTTPS connection. An HTTPS connection is easy to setup and something that a website owner cannot ignore.

References

  • Luger, G. (2009). Artificial intelligence: Structures and strategies for complex problem solving (6th ed.). Boston: Pearson Addison-Wesley.
  • Pedersen, T. (n.d.). HTTPS, Secure HTTPS. Encyclopedia of Cryptography and Security, 268–269.
  • Python 3.5.1 documentation. (n.d.). Retrieved December 2, 2015, from https://docs.python.org/3/

Attachments

The actual Python script testing was completed on a Linux computer running Ubuntu 15.04 and Python3.4.

First example of a screenshot showing an article with the paywall active
First example of a screenshot showing the paywall removed from the article
Second example of a screenshot showing an article with the paywall active
Second example of a second screenshot showing the paywall removed from the article

Leave a comment

Your email address will not be published. Required fields are marked *