I have read about at least two scandals recently, where people could by tickets for a lower price or free. In this post, I'd like to show what mistake leads to this kind of vulnerability. I have simplified the IT part so anyone can read my post and understand it, you don't have to be an IT expert.
Let’s assume you have a ticket sales portal, with three
tickets, daily, weekly and monthly for €50, €200 and €500 respectively. Anyone
can click on a ticket and buy it.
If your programmer has no clue about online security,
placing a link like this on each ticket would be acceptable for him or her:
https://tickets.example.com/ticketsales.php?price=50
https://tickets.example.com/ticketsales.php?price=200
https://tickets.example.com/ticketsales.php?price=500
If you click on the weekly, you would navigate to the payment
page:
https://tickets.example.com/ticketsales.php?price=200
|
Ticket Payment Page
|
|
Your price is €200.
Choose payment method: [PayPal]
[Barion]
|
|
© example.com
|
This looks ice at first. But what if the user rewrites the
URL in her browser like this:
https://tickets.example.com/ticketsales.php?price=1
Your sales page would change and anyone could buy the ticket
for €1:
|
Ticket Payment Page
|
|
Your price is €1.
Choose payment method: [PayPal]
[Barion]
|
|
© example.com
|
If you have a skilled programmer, she would never place a key
value in the URL, and it would do what we call “separation of business logic
and presentation”. He would place the type of ticket in the URL and would not
allow the user to change the price. The price would be defined by the server, which cannot be changed by the user. Her links would look like this:
https://tickets.example.com/ticketsales.php?type=daily
https://tickets.example.com/ticketsales.php?type=weekly
https://tickets.example.com/ticketsales.php?type=monthly
If you click on the weekly this time, you would navigate to
the payment page:
https://tickets.example.com/ticketsales.php?type=weekly
The server would look up the price of the weekly ticket and
tell you how much to pay:
|
Ticket Payment Page
|
|
Your ticket is Weekly, your price is
€200.
Choose payment method: [PayPal]
[Barion]
|
|
© example.com
|
The server code to look up the price would be something like
this, about one minute to code, maybe 5 minutes to it properly. The sample code has been simplified for non programmer readers. Even if you
have complex pricing, a database or configuration file based solution would
take an hour or two to code.
Type = ReadParameterFromURL(“type”)
Select Case Type
Case “Daily”
Price = 50
Case “Weekly”
Price = 200
Case “Monthly”
Price = 500
Case Else
InvalidURL = True
End Select
There is no way to rewrite the URL this time, and if you try
tricks, the server notices.
https://tickets.example.com/ticketsales.php?type=1
https://tickets.example.com/ticketsales.php?price=1
The server would recognize the trick, because it only
accepts one of the three valid parameters: daily, weekly or monthly:
|
Ticket Payment Page
|
|
Warning!!!
You changed the URL, probably trying to
cheat.
Your IP address has been logged and will
be sent to the police if you try again.
[back to tickets]
|
|
© example.com
|
IT security is a lot simpler than most people think. One way to avoid such pitfalls of to have your code written by high performing agile teams. In a great team, even if one of the programmer is beginner or lazy, the team will notice and correct the mistake.
BiroTom
www.birotom.com
Megjegyzések
Megjegyzés küldése