I’m always interested in hacking. Making my words clear, interested only in ethical hacking. I usually attempt the basic XSS and SQL injection in whenever I come across any new applications. No wonder most of the applications would address these basic vulnerabilities by default. But surprisingly once I hacked the banking application completely. Completely means completely.
Yeah. After all this banking application allows you to trade your securities. It’s also deals with hell lot of confidential entities like securities, shares, contacts, social identity, business opportunities, meetings and etc. I was asked to implement simple business logic in that application. As I said my requirement was pretty simple but that requires data from other module which we can consume through web services. As usual before starting my work I was looking into the loop holes.
Yeah. After all this banking application allows you to trade your securities. It’s also deals with hell lot of confidential entities like securities, shares, contacts, social identity, business opportunities, meetings and etc. I was asked to implement simple business logic in that application. As I said my requirement was pretty simple but that requires data from other module which we can consume through web services. As usual before starting my work I was looking into the loop holes.
Web service is a method of communication between two electronic devices over a network. I will brief about web services and Axis engine in my next post. Normally we will consume the web services through WSDL. That’s nothing but Web Services Description Language. Using Axis web service engine we can generate the stubs in our client side by pointing the endpoint url (i.e) WSDL. From the generated stubs and methods we can invoke the web service method directly from our Axis client over network. Here the beauty web services are open to the world. Once you exposed your services as web services over internet means, you are allowing this whole world to access your service.
So authorization should come here. At your web services layer/Server side we should authorize these requests. Since we have exposed it as web services anyone who has internet connection can access your service. For sometime don’t think about firewall here. Once the user authorized only then the application should allow consuming the actual service.
So how will you authorize? Web services communication takes place in the form of XML. It’s called SOAP request and SOAP response. This SOAP request will contains the end point address, method and its argument values. Likewise SOAP response will contains the response details of our request. Usually In client side we update the authorization details (i.e) user name, password or security token in the header part of the SOAP request. And in the server side, soap request would be authorized by validating the header details.
Here in this banking application they were following all these standards. I need to update user name and password in SOAP request header to consume those confidential items.
As part of finding loopholes I have tried to access the web services method my giving invalid user name and password details. Application doesn’t allow me with invalid credentials. And it’s perfect.
But since it’s xml I have removed header tag completely and tried. WTF I was not stopped anywhere and return back with the data.
Yeah it’s like application stops you for invalid user name and password and allows you if it’s blank. Gosh this application is in live and serving its customers for more than 10 years. None had aware of this. This bank is pretty famous in your city. Who knows your details also might have hanging with them. When I escalate this to the management, thought they have realized the seriousness. Next 3 weeks this was hot topic around the big shots. Yes they have fixed it finally and they were calling me as Hacker.
15 months later, Today from my home with my home network I’m able to access the web services without the header part. Still Am I Hacker?
2 comments:
hands off..!!
Yes I'm afraid
Post a Comment