Web Registration - How not to write a registration web page ----------------------------------------------------------- Written by Israel Torres Wednesday, 11 January 2006 Note: This article depicts real situations about real website security. Targets have been altered to save face in this demonstration. Do not try this at home unless you are capable of accepting responsibility for your own actions. Today I was surfing around and saw a link to interesting to a software utility I considered playing with. It stated it was freeware that offered no further support but had a registration page that required me to give it information before downloading it (showing that nothing is free)... Demonstration Registration Page [IT_ex0_1_first_page.gif] This is the perfect opportunity to demonstrate how security awareness and the actual application to this awareness work together. So begins the process of bypassing this page legally. Eyeballing the registration page presented does not reveal if they have strict measures to validate the data and you shouldn't freely give out your information to "strangers" (who knows what they'll really do with it). The best way to test this is to click the submit button without entering information. *Click* Javascript Error Message [IT_ex0_2_javascript.gif] ... and it looks like they check to see if the text fields are empty. Nice try to really try and suck your information. It still isn't revealed to which extent they have gone to validate the submitted data so the best way to proceed is to check out the source code they put on your machine. You can right click and view source but sometimes they have scripting to obscure this. The best way that works all the time is to go to your browser's toolbar and click View->Page Source (for Mozilla FireFox) View Page Source [IT_ex0_3_MozillaFirefoxPageSource.gif] This will bring up a new window with the underlying html source your browser is rendering. You need to quickly scan the page for the FORM ACTION tag. View Source [IT_ex0_4_sourcecode.gif] Upon finding the tag you need to examine the action itself where in this case it is a destination to a PHP page. It is almost like you have become a great seer of the future. You now know where you should look at next. For this demonstration it is IT_ex0_submit.php. Simply copy the original address from your browser's address bar: http://blacklisted411.israeltorres.org/IT_ex0_web_registration_bypass.htm and truncate the last directory (it won't always be root, so you need to check the paths carefully). You end up with the base address: http://blacklisted411.israeltorres.org/ and now you can append the PHP page we found in the form action tag to the end of the URL so the result would be: http://blacklisted411.israeltorres.org/IT_ex0_submit.php Make sure the new address you put together is in your address bar and click GO to find out what this address leads to: Congratulations! [IT_ex0_5_final_page.gif] Wow, you are in. In this case there was nothing on the PHP server script side to validate the information at all. They were relying entirely on the client's javascript to hassle people that want to download this freeware until they either put it in or go away. I have no idea why someone would write this type of validation process where there is no enforcement. Obviously they are getting overpaid and don't get audited on a regular basis. I can only assume that this flaw is due to "copy and paste syndrome" on the webmaster's part. Ideally you would write a function (in the PHP) that would also check the data posted to the site from the form. As demonstrated you are passing in nothing and still getting what you seek legally. It looks like they don't even know what they are doing with your information (appalling look here). The next time you see a registration page do not despair. Take a deep breath and investigate further to check if the webmaster is as smart as they think they are. You'll be surprised. J You can try out the demonstration (and even download it) here: http://blacklisted411.israeltorres.org/IT_ex0_web_registration_bypass.htm Don't bother submitting real information as it is for demonstration purposes only. The idea is to follow along with this article, and use as an example in bypassing poorly written registration mechanisms. Keeping it ‘rael, Israel Torres