FA+
Shop
Seriously, FA?
15 years ago
General
So, this comment hiding thing. Ereet hax0rz found out how to exploit it. Let's see if you're as smart as the hax0rz, and can figure out how to do it too!
Step 1: Find a comment entry that has the "Hide Comment" link visible. Hover over the link, and see what it says.
Step 2: Hover over the "No Subject" link right next to it, and note that some numbers match.
Step 3: Go to your user page and hover over one of the "Full List" links for either watching or watchers, and note that some other numbers match.
Step 4: Pat yourself on the back, because you're not a mouth-breathing retard.
Lessons learned:
GET requests are not for modifying server state.
A User ID is not a valid authorization token.
How to do it right:
1: Use POST, first off. This isn't necessarily more secure, it's just the right way to do it.
2: Validate against the session cookie. That's what it's there for. This would eliminate spoofing.
3: Combine the parameters and verb of the action, the user ID, and a per-session server-side secret into a hash and pass that hash back in through the POST and validate against it, after validating against the session cookie. This would eliminate XSS.
Is that so hard? Is that fucking rocket science? Apparently the answer is "yes, absolutely it is" if you're an FA coder.
Step 1: Find a comment entry that has the "Hide Comment" link visible. Hover over the link, and see what it says.
Step 2: Hover over the "No Subject" link right next to it, and note that some numbers match.
Step 3: Go to your user page and hover over one of the "Full List" links for either watching or watchers, and note that some other numbers match.
Step 4: Pat yourself on the back, because you're not a mouth-breathing retard.
Lessons learned:
GET requests are not for modifying server state.
A User ID is not a valid authorization token.
How to do it right:
1: Use POST, first off. This isn't necessarily more secure, it's just the right way to do it.
2: Validate against the session cookie. That's what it's there for. This would eliminate spoofing.
3: Combine the parameters and verb of the action, the user ID, and a per-session server-side secret into a hash and pass that hash back in through the POST and validate against it, after validating against the session cookie. This would eliminate XSS.
Is that so hard? Is that fucking rocket science? Apparently the answer is "yes, absolutely it is" if you're an FA coder.
CaptainSaicin
~captainsaicin
Yeah, I noticed that glaring hole like 0.5 seconds after I first noticed the feature. I facepalm'd.
CaptainSaicin
~captainsaicin
I should mention, it does make use of a cookie or other session data, but it's still a huge exploit because it can be invoked by spoofing that data as well, or in any number of other ways.
CaptainSaicin
~captainsaicin
http://eevee.livejournal.com/329409.html
