Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CASP Practice Question I don't understand


  • Please log in to reply
6 replies to this topic

#1 Rhysers

Rhysers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 11 October 2017 - 04:37 PM

Can anyone help me understand this practice question:

 
After being notified of an issue with the online shopping cart, where customers are able to
arbitrarily change the price of listed items, a programmer analyzes the following piece of code
used by a web based shopping cart. The programmer found that every time a user adds an item to the cart, a temporary file is created
on the web server /tmp directory. The temporary file has a name which is generated by
concatenating the content of the $USERINPUT variable and a timestamp in the form of MM-DD-
YYYY, (e.g. smartphone-12-25-2013.tmp) containing the price of the item being purchased. Which
of the following is MOST likely being exploited to manipulate the price of a shopping cart’s items?
A. Input validation
 B. SQL injection
C. TOCTOU
D.Session hijacking

 

 

The provided answer is TOCTOU, but I don't understand why. My current understanding of Time of Check/Time of Use has to do with making a change to a security variable (like disabling an account) and that change not taking effect until the next time the account checks in with the domain, for example a user being able to continue to use their account until they log out and attempt to log back in. I would have picked SQL Injection.

Thanks for any help.



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:22 AM

Posted 11 October 2017 - 04:46 PM

I don't know HOW it would be done, but here's my thinking aloud.  Somehow, they're changing the time of the transaction that's recorded.  Why?  Perhaps there was a sale on product A at time B, but the shopper went to buy it at time C.  Somehow, the shopper changed the information so that it showed he/she was actually purchasing the item at time B thus altering the price in the shopping cart.


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 JohnC_21

JohnC_21

  • Members
  • 22,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 AM

Posted 11 October 2017 - 05:02 PM

I just googled the first line and got this.

 

https://www.coursehero.com/file/p26qegh/QUESTION-NO-6-After-being-notified-of-an-issue-with-the-online-shopping-cart/



#4 Rhysers

Rhysers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 11 October 2017 - 05:33 PM

So I guess the idea is that the shoppers are changing the text file after creation?



#5 JohnC_21

JohnC_21

  • Members
  • 22,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 AM

Posted 11 October 2017 - 05:42 PM

That is what I gathered from the answer. The person is changing the tmp file but a bug allows the edit even after the administrator locks the page. Hopefully somebody with more security experience can expand on the answer.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 PM

Posted 12 October 2017 - 02:33 PM

The correct answer is "lack of input validation or incorrect input validation", which is not one of the listed answers. The answer that comes closest is A.

 

This is how it works:

 

1) you put a phone in your card that costs €100 by typing 'phone'

2) file /tmp/phone-10-12-2017.tmp is created and contains 100

3) you add another item to your card by typing '/phone' (notice the slash / in front of the word phone)

4) file /tmp//phone-10-12-2017.tmp is created and contains 0 or is empty

5) you checkout and pay 0

 

The reason this is possible, is

 

1) on most file systems, /tmp/phone-10-12-2017.tmp and /tmp//phone-10-12-2017.tmp point to the same file. So by typing /phone you overwrite file /tmp/phone-10-12-2017.tmp

2) since /phone is not an item sold by the webshop, there will be no price. So the file will be empty or contain 0, depending on the program logic (which is not provided).

 

Remark that this lack of input validation allows for all kind of tricks to be used.

For example, type ../phone and a file will be created in the root folder: /tmp/../phone-10-12-2017.tmp

If NULL bytes are accepted, it allows for arbitrary file writes.

For example: type ../etc/passwd\x00 (\x00 is how I represent the NULL byte) and the /etc/passwd file will be overwritten (provided the webserver's account has the permissions).


Edited by Didier Stevens, 12 October 2017 - 02:34 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 PM

Posted 12 October 2017 - 02:47 PM

Actually, with a bit of a stretch, this could be called TOCTOU too.

 

TOC: price is checked in database and written to file.

TOU: file is read at checkout.

 

Between TOC & TOU: file is modified due to improper input validation.

 

So all in all, the MOST likely answer (that's what they ask: MOST likely) is C) because A) can not be a correct answer: the problem here is lack of input validation, not input validation.


Edited by Didier Stevens, 12 October 2017 - 02:50 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users