Silent Transactions Attacks

How the attacks works:

Any system that silently processes transactions using a single submission is dangerous to the client.

For example, if a normal web application allows a simple URL submission, a preset session attack will allow the attacker to complete a transaction without the user's authorization. In Ajax, it gets worse: the transaction is silent; it happens with no user feedback on the page, so an injected attack script may be able to steal money from the client without authorization.

 

webgoat上示例，在一个银行网站应用上的转账页面中，该网页在一些基本的客户端验证后利用AJAX提交transaction。

目标：绕过用户认证并silently执行这次transaction！！

 

分析该页js脚本文件

 

function processData(){ 3 var accountNo = document.getElementById('newAccount').value; 4 var amount = document.getElementById('amount').value; 5 if ( accountNo == ''){ 6 alert('Please enter a valid account number to transfer to.') 7 return; 8} 9 else if ( amount == ''){ 10 alert('Please enter a valid amount to transfer.') 11 return; 12} 13 var balanceValue = document.getElementById('balanceID').innerHTML; 14 balanceValue = balanceValue.replace( new RegExp('$') , ''); 15 if ( parseFloat(amount) > parseFloat(balanceValue) ) { 16 alert('You can not transfer more funds than what is available in your balance.') 17 return; 18} 19 document.getElementById('confirm').value = 'Transferring' 20submitData(accountNo, amount); 21 document.getElementById('confirm').value = 'Confirm' 22balanceValue = parseFloat(balanceValue) - parseFloat(amount); 23balanceValue = balanceValue.toFixed(2); 24document.getElementById('balanceID').innerHTML = balanceValue + '$'; 25} 26function submitData(accountNo, balance) { 27var url = 'attack?Screen=123&menu=400&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; 28if (typeof XMLHttpRequest != 'undefined') { 29req = new XMLHttpRequest(); 30} else if (window.ActiveXObject) { 31req = new ActiveXObject('Microsoft.XMLHTTP'); 32 } 33 req.open('GET', url, true); 34 req.onreadystatechange = callback; 35 req.send(null); 36} 37function callback() { 38 if (req.readyState == 4) { 39 if (req.status == 200) { 40 var result = req.responseText ; 41 var resultsDiv = document.getElementById('resultsDiv'); 42 resultsDiv.innerHTML = ''; 43 resultsDiv.innerHTML = result; 44 }}}

 

发现其中processData()函数是用来验证输入金额是否超过了账户余额，若超过，认证不通过。

submitData()函数则是在验证完后被调用来提交XHR（XMLHTTPRequest）与服务端交互，执行转账。

 

方法一：绕过processData()的客户端验证

使用WebScarab 截获get请求，并修改get请求里的金额参数。因为获得get请求之前已经经过了客户端验证，此时修改的金额完全可以超过账户余额！

 

此方法bypass了客户端验证，但是还是需要经过用户认证，即必须截获客户端和服务器端的通信，因此没有达成silently的目的。

 

方法二：通过在browser上调用JavaScript函数submitData()来bypass客户端验证并silently执行转账。

 

最新版本的多数浏览器支持在地址栏里（address bar）调用JS脚本，即使用javascript:function();

 

因此在浏览器地址栏直接输入JavaScript:submitData(1234,11000);

即可攻击成功！

 

* Congratulations. You have successfully completed this lesson.
You have just silently authorized 11000$ without the user interaction.
Now you can send out a spam email containing this link and whoever clicks on it
and happens to be（有一定几率性） logged in the same time will loose their money !!