I don't believe this, i can't basically do a SQL injection, CSRF or XSS! Everything i wanted to do is basically either encrypted or if i injection a simple character like ", it says service unavailable. This application can be considered very secure it terms of encryption and of good standard if weighing it against the OWASP top ten. Even if i enter a value like 10, this value will be encrypted with this:
Name=eb56be300a5b19b600b5dac4f0e96834&EventName=Immediate&encryptedString=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZWoTRxslHOjxM7JapJ9tsvyp1ifrWjrgZjxiQfgS33znbhy2IaOqGNXFaA9rR4PvbsUFcqW0hVySynpxkNKRRxvxXJBIiCDlA9h1IK93ajLouNKITFaOVTBQSuK0upPOkjEuTJnbXM3qqZyf-i8amEULAXd4AhEkBBlGgjY8a9wWXJD61NJ-aPT5cVZ0s0H1ZZpvTto8NMRI1QiJAnYPMl4WXik8LTdChQ86n1OkUeP7Hfe4Fz13-JSEq%5E%5EvpgRjznQ4ZuLQ%5EHtMQ5D6yWWTRCPXtJ6jAj1Q2ZmYfPr9Q0uQX1YXN8UlwMXcf7igpQRXtR5yRwo3pm%5E6LJlmf7Hf94B4P26-K2iIOO%5EnVUeQbyZBt3YC4tNCWt8N5IFThY53-spUvlfRBAkwkwsK0NdkCajHGVoGLiynlc1J3GCIfZ0trlITgC9WntZgIOKXVZjTwYWe5hEAuqfHSMixUSCExNu4ZC4ZUQE%5EyK%5ElvKIl3Fd8fxx-GJjVajpHikGTHgfJ8KoeNH2SpUzEWPNQy63l4BkzqaeuJ7ssxeF%5EWhwcwfKuBzRF9rV5sss%5EP3WYjD4YsJvSZx%5EqXP1j8KIf6zfyh1xSqRJREWFXG5kSWXzlj03cL7SQmNjQupwJ9L25Km7GYhEUYfZYSsbNTr44vdkrpepIyLFRIITE29CZXXyVLrlK0OAIU7V9RfzJieGW0oBylrDqKK4VvLrKVbCj2t2hUwcDQwedGQK5J0O0W6v7Oeao9i9Y0keFg006rxP0gINtf8I9U5l%5E0RMvL7SQmNjQupyj1BfoSNNPOmsVd5RBRyJUy7dmjY1z6SxKT74w1LFyX9b-Wup4Bpykv-Ojshp82HwvLmlVapYc-I5yIyi5ev-%5E6-MiaJ-eATlq7nsFDamHtLjB09kFUKPMQArFYZzeyC1wNkE6i95PP80TJ0lPfgNkMuVhq5cxP2AXB7Kum3IJKcGeIJlpRTvpqBkeQ23jFVdIK61FykzXdSO6rlPpDFI0%5EYxJ2aAUQkn3hJJwOJW50AqBr4MBG-tU&encryptedString2=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZfQSGPJ8Sz00GIRu7AqyMI3jMa6-sb5ZQJmYfPr9Q0uQs4F2ns3wU759YZpN-TxN6gqBr4MBG-tU
I am running outta ideas, tell me what more can i do??
The Hacka Man
Tuesday, September 25, 2007
Subscribe to:
Post Comments (Atom)
6 comments:
For reversing 2 factor auth application the things to kept in mind (at least I will keep are )
First Link:
Start looking at the Algorithm level most of the implementation are Time synchronized or Counter Synchronized (rfc 4226)or use S/Key based implementations both need a shared key for authentication Get the method where the shared key stored or obtained
Second Link:
Next part is is the Connection between the AUTH server and the client SSL (I assume it is )
how is the certificate info is stored on client
If it is applet based how is the signing of applet taking place
can you change the rt.jar of JVM (this bug was fixed in new JVMs)to bypass this checking
How does the client react when certificate is replaced by self signed
Third Link :
what is ethereal spitting when the client is connected
Is connection made to any remote server other then the remote AUTH server, Is it HTTP/S
If the algo is home grown check for the crypt functions and Type of RAND functions used in decompiled Jar file do you see any buffer attacks
Hope these help you to start
MitmWathcer
Thanks mitmwatcher, i can say that the algorithm is based on time and session management. Also, when you say get the method where the shared key stored or obtained, what do you actually mean? HTTP GET or POST method or is there some other implication?
For the second link, i will have to verify again. How can i check the signing of applet?
For the third link, the connection is only made to the remote Auth Server and no where else and its HTTPS. I have yet to decompile any jar file. I am still verifying the logic and some other issues. Till i verify that i can't find anything more, i will then proceed to decompile the jar file.
hackathology
You cant get the shared secret Key from the headers or JS it might be a server side call or a method embedded in the client applet
check the HOTP rfc in the previous reply for more insights on shared key.
If the applet is running on the cell phone then mostly it is hardware token mostly IMEA number
You can find the certfile in the
JAVAPATH/lib/security/cacerts
use http://blogs.sun.com/andreas/resource/InstallCert.java
to install the new certificate and see how the applet reacts
Decompile the Jar lets see whats inside ;)
Mitmwatcher
Can you leave your email down or send me your personal email?
hackathology
myscreen name at gmail
send you an email.
hackathology
Post a Comment