Hacking using Firebug and similar browser add on
Moderator: General Moderators
Hacking using Firebug and similar browser add on
Hi All
IN modern browser today many tools is available to helping developer in editing css and html on the go. Such as Fire bug for firefox, the builtin one for chrome and IE.
The both have ability to change the element inside a web page.
Is there a case that a web user change this element that cause to send a bug to the web server or perhaps database. Example like changing the javascript or html element id before submitting something ?
Lets say is a heavy web application and database like openbravo erp ( I remember it using php, not sure ).
Example when opening a page from a menu, the page is automatically get by using the id of the menu item such as "menu_salesorder". THe user than change the id using firebug to other name let say sensitive page than click it , which bring him to the page which is not allowed ( I understand that we can check the permission , this is just a small example ).
I check microsoft office live excel and google docs, using firebug it didn't save the inputted value in the html.
Sorry if the example is not clear, I just feel that there is something that will eventually cause a bug using tools like that.
IN modern browser today many tools is available to helping developer in editing css and html on the go. Such as Fire bug for firefox, the builtin one for chrome and IE.
The both have ability to change the element inside a web page.
Is there a case that a web user change this element that cause to send a bug to the web server or perhaps database. Example like changing the javascript or html element id before submitting something ?
Lets say is a heavy web application and database like openbravo erp ( I remember it using php, not sure ).
Example when opening a page from a menu, the page is automatically get by using the id of the menu item such as "menu_salesorder". THe user than change the id using firebug to other name let say sensitive page than click it , which bring him to the page which is not allowed ( I understand that we can check the permission , this is just a small example ).
I check microsoft office live excel and google docs, using firebug it didn't save the inputted value in the html.
Sorry if the example is not clear, I just feel that there is something that will eventually cause a bug using tools like that.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Hacking using Firebug and similar browser add on
I think if your site isn't properly secured then there probably is an inherent danger to your site, using developer tools or not. I'm not an expert on this but i don't think it's possible to modify the code on the webserver by using a tool like FireBug, you can modify the copy that you are viewing, not the original and any modifications aren't permanent.
Back to the original question (or one of them): I'm not aware of any such cases as that would probably be the end of such a tool, i did find a page where the author claimed to have hacked a netgear router so i guess it is possible to some extent.
This can also be done via query string manipulation so as you mention, checking as an important part of security.wpsd2006 wrote:THe user than change the id using firebug to other name let say sensitive page than click it , which bring him to the page which is not allowed ( I understand that we can check the permission , this is just a small example )
Back to the original question (or one of them): I'm not aware of any such cases as that would probably be the end of such a tool, i did find a page where the author claimed to have hacked a netgear router so i guess it is possible to some extent.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Hacking using Firebug and similar browser add on
This is where it is important to ALWAYS validate things coming from a user. They can only "hack" as far as your script will let them.
An example, had to fix a shopping cart once, the "Add To Cart" form had a SELECT for options, values were PK~PRICE, so that javascript could grab the price and update it on the page each time you changed which option you had. Well when they wrote the code to process add to cart, instead of actually reading the database for the price, they went the easy route and used the posted value. So you could use firebug to change a $199.95 item down to $19.95 and get all the way to checkout and it would keep that price and let you just pay $19.95.
Firebug CANNOT directly access/change data on a server, it can only use (and/or abuse) methods the programmer allowed the outside to interact with the server.
-Greg
An example, had to fix a shopping cart once, the "Add To Cart" form had a SELECT for options, values were PK~PRICE, so that javascript could grab the price and update it on the page each time you changed which option you had. Well when they wrote the code to process add to cart, instead of actually reading the database for the price, they went the easy route and used the posted value. So you could use firebug to change a $199.95 item down to $19.95 and get all the way to checkout and it would keep that price and let you just pay $19.95.
Firebug CANNOT directly access/change data on a server, it can only use (and/or abuse) methods the programmer allowed the outside to interact with the server.
-Greg
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Hacking using Firebug and similar browser add on
@twinedev That sounds like a potentially expensive flaw for the business running the e-commerce site.
Just last night after making my post i thought i should give my site a 'test' using developer tools to see if i can break is somehow.
A final point; i think the Firefox developers should go the same route as IE and Chrome, make firebug available by default. I've downloaded the latest version but havent installed it yet so i'd be very happy if it was included.
Just last night after making my post i thought i should give my site a 'test' using developer tools to see if i can break is somehow.
A final point; i think the Firefox developers should go the same route as IE and Chrome, make firebug available by default. I've downloaded the latest version but havent installed it yet so i'd be very happy if it was included.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Hacking using Firebug and similar browser add on
If you are concerned about this, you should bone up on http.
For example, you can emulate an HTTP request using a telnet client.
This is an example of a GET request:
[syntax]telnet http://www.devnetwork.net 80
GET /index.php HTTP/1.1
Host: myFakeHostname[/syntax]
The POST request is slightly different but not by much:
[syntax]telnet http://www.devnetwork.net 80
POST /index.php HTTP/1.1
Host: myFakeHostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
home=Cosby&favorite+flavor=flies[/syntax]
The behaviour you have described has been available all along, it's just that you've recently discovered it. This is why you should not use the $_REQUEST variables in PHP. It is also why you should whitelist every piece of data that your server receives.
For example, you can emulate an HTTP request using a telnet client.
This is an example of a GET request:
[syntax]telnet http://www.devnetwork.net 80
GET /index.php HTTP/1.1
Host: myFakeHostname[/syntax]
The POST request is slightly different but not by much:
[syntax]telnet http://www.devnetwork.net 80
POST /index.php HTTP/1.1
Host: myFakeHostname
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
home=Cosby&favorite+flavor=flies[/syntax]
The behaviour you have described has been available all along, it's just that you've recently discovered it. This is why you should not use the $_REQUEST variables in PHP. It is also why you should whitelist every piece of data that your server receives.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Hacking using Firebug and similar browser add on
[text]
telnet http://www.devnetwork.net 80
GET /index.php HTTP/1.1
Host: myFakeHostname
[/text]
How do you get this; do you use developer tools from the browsers? I've seen it from 'normal' websites (using Chrome's developer tools and Web console in Firefox).
telnet http://www.devnetwork.net 80
GET /index.php HTTP/1.1
Host: myFakeHostname
[/text]
How do you get this; do you use developer tools from the browsers? I've seen it from 'normal' websites (using Chrome's developer tools and Web console in Firefox).
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Hacking using Firebug and similar browser add on
You don't get it, you craft it. You can download any telnet client, like puTTy for example. Most operating systems have a telnet client built in, in windows it should be a non-default option in add/remove programs, unless they got rid of it.social_experiment wrote:[text]
telnet http://www.devnetwork.net 80
GET /index.php HTTP/1.1
Host: myFakeHostname
[/text]
How do you get this; do you use developer tools from the browsers? I've seen it from 'normal' websites (using Chrome's developer tools and Web console in Firefox).
The first line is the destination address and port, 2nd line is method, path, protocol. HTTP 1.1 happens to require the "Host" header, HTTP 1.0 did not. The host header can be any value and is typically set by your browser.
You can use the OPTIONS method to find out what method the webserver supports, and this is often time how the bad guys figure out server misconfigurations
All available methods, headers, etc are well document in the HTTP spec. For fun, in some projects, I've embedded optional headers like "X-PROTECTED-BY: Chuck Norris". I'm sure that VERY few people realize it though...
Re: Hacking using Firebug and similar browser add on
After think it through we shouldn't use lazy method as reading data from the layout to prevent this .For Get and Post I usually use ajax as a bridge so normal get post won't work though there is some disadvantage such as no permalink, we can still find a lot of workaround.
I just wondering how does web spreadsheet such as google, zoho, or office live save their data in the cell .... can't find them using firebug, it should be a good trick for protection from bug.
I just wondering how does web spreadsheet such as google, zoho, or office live save their data in the cell .... can't find them using firebug, it should be a good trick for protection from bug.
Re: Hacking using Firebug and similar browser add on
One more case
When we create a table ( gridview like ) to show data from database, e.g Customer List
Usually my practice is put the customer id in the cell / row id
Example : <td id="cust_123"> would mean customer with id 123
When we click on this customer cell to edit / show the detail data. The page will post id 123 to a server.
Now suppose we going to edit this data than a user change the id to other id like 450, and that user is also available in database.
What is the best method to prevent this.
When we create a table ( gridview like ) to show data from database, e.g Customer List
Usually my practice is put the customer id in the cell / row id
Example : <td id="cust_123"> would mean customer with id 123
When we click on this customer cell to edit / show the detail data. The page will post id 123 to a server.
Now suppose we going to edit this data than a user change the id to other id like 450, and that user is also available in database.
What is the best method to prevent this.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Hacking using Firebug and similar browser add on
Make sure the record linked to the id can only be displayed if it's "active" or something. I did a website that had to display properties and they are referenced by the query string. In my table i had a 'status' field that determines whether a record can be displayed or not
So any 'modified' input that doesn't match the criteria above is not displayed. There are properties that CAN be displayed in this manner (records with status set to Y) but if a user can access that record via the query string i only give them points for not using hyperlinks and not for 'hacking'.
You can't really prevent users from manipulating the query string or data using Firebug but you should at least have some checks inplace against user input
Code: Select all
<?php
$qry = "SELECT fields FROM table WHERE id = $id AND status = 'Y'";
?>You can't really prevent users from manipulating the query string or data using Firebug but you should at least have some checks inplace against user input
Using php?flying_circus wrote:You don't get it, you craft it.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Hacking using Firebug and similar browser add on
Well, again, this is where you validate everything that comes in from a user. They hit a page to edit a record, one of the first things that you should be doing is making sure it is a logged in user, and that the user has permission to do the action (editing id 450)wpsd wrote:When we click on this customer cell to edit / show the detail data. The page will post id 123 to a server.
Now suppose we going to edit this data than a user change the id to other id like 450, and that user is also available in database.
What is the best method to prevent this.
While that goes for a page where people can edit something, sometimes the user can look at any record, but you don't want them to just be able to easily change the id they see being passed. To help against that, see viewtopic.php?f=1&t=132062
-Greg
Re: Hacking using Firebug and similar browser add on
Using php? Definitely
Hmm looks like encryption is good method since user won't know the id format
md5(customer + unixtime)
hohoho
I see a lot of web database app doesn't actually use the simple id for prim key. They can create second key for ordering purpose.
Hmm looks like encryption is good method since user won't know the id format
md5(customer + unixtime)
hohoho
I see a lot of web database app doesn't actually use the simple id for prim key. They can create second key for ordering purpose.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Hacking using Firebug and similar browser add on
md5 is one-way hashing, you won't be able to retrieve whatever is hashedwpsd wrote:md5(customer + unixtime)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Hacking using Firebug and similar browser add on
If you want to use PHP to manually craft a request, you can use cURL.social_experiment wrote:Using php?flying_circus wrote:You don't get it, you craft it.