Flow Bypass Attacks For Fun and Profit

30 Jul 2011

An interesting vulnerability that I've seen more and more frequently in web applications is Flow Bypass, I'm sure there are other names for it "Insufficient Process Validation" is one I've heard mentioned. Today we usually hear about XSS and SQLi very frequently. I've actually used this to exploit for my own fun, a staff control panel which looks like it was made in 2002 (Did I mention it says copyright 2009) and even uses frames :( makes you read all "urgent" messages before using it. Today I had 22, 19 of which were "please change your password it is about to expire". I big deal of fuss is made on how they log the view message events and how if you have "read" it and don't take notice you are in big trouble. I've made many Greasemonkey scripts to make the application more usable, such as direct links and a ajax staff search.

Which got me thinking, could it be as simple as just accessing the URL you normally goto after reading the messages? Yes and no, since I haven't used frames since the 90's it took be a while to figure out you can't have a body if you use a frameset.

So I combined a redirect to a data uri that contained my session token (always passed via url in this app, *sigh*) which created the frameset you would normally see. It was done, I had completely bypassed reading any messages.

After whipping up a quick script to request the mail url via XHR I had a nice link in the navbar "22 unread message" which was clickable to read the messages.

Of course that is all fun, but imagine the impact of bypassing the intended flow of a web app for profit. Web developers need to understand they are not programming a client side application, they are responding to requests where anything can be manipulated. All data in a request is untrusted, a quick example is paying for a domain name and then going to a page to register it, just skip the payment page and head on over to register unlimited domains.

I've got a presentation on this topic later this year.