ATTACKING SCENARIO

Introduction
• Attack scenario—An attacker wants to
order pizza(s) for $1 (reduced cost)
instead of the actual total cost $10.
• This can be done in the confirmation
step of the transaction flow.
• The server sends back a page to the
client with the computed total prize
& asks the user to confirm the
transaction.
 Hidden Price Field
• In this ex. the server stores the price of the
transaction in the form sent back to the client--it
is trusting the client
• This price is stored in a hidden form field
• So you cant see a price field in confir Page
• But the client/user can view the html source code
for confir form by selecting view|source in the
browser’s menu bar
• only visually hidden from the user but are
effectively sent in the clear from the security
point of view.
• Malicious clients can easily access & modify them.
Order page
ServerSide php script for
confir page
Confirmation Page
View|Source
The HTML code that user can
view
Modified HTML Page
Changing the value of hidden
fieldthe value in the hidden
• The attacker can change
form field from 10 to whatever value he wants.
• Then he simply saves the modified HTML to the
disk,
• Reopens it with a browser,
• And finally submits the form with the modified
price to the server.
• When he clicks yes in the reopened html page
the http request tats constructed based on the
manipulated form is for $1 instead of $10.
 Effect Of The Attack
Now when the user clicks yes button in the confirmation
page it proceeds to a credit card payment gateway.
Deduction of Modified Bill
Amt
After the gateway authorizes the card the modified bill
amt is deducted from the client’s account.
 curl And Wget
• Instead of using browser and txt editor
the atkr can use cmd line tools like.
• Curl & Wget
• These are open source cmd line tools that can be
used to generate HTTP requests and other types
of requests in an automated fashion.
• Consider this http request
• GET/submit_order?price=1&pay=yes HTTP/1.0
• This is the request sent by the modified html page
 curl & Wget command
• This http request can be automatically generated
by issuing the foll curl command
• If the form uses GET method
• Curl
https://www.deliver-me-pizza.com/submit_order?p
rice=1&pay=yes
• If the form uses POST method
• Curl –dprice=0.01 –dpay=yes
https://www.deliver-me-pizza.com/submit_order
• Wget command for POST parameters
• Wget –post-data ‘price=1&pay=yes’
https://www.deliver-me-pizza.com/submit_order
 Conclusion……..
• The attacker does not have to traverse through the
order or confir web pages to issue the HTTP requests
to purchase the pizzas.
• The server trusts and sends the transaction state
back to the client,
• By this it gives the client the ability to tamper with
the state
• Solutions:(two among many)
1. involves keeping an authoritative copy of the
session state in a DB.
2.sending the authoritative state back to the client
with a signature
QUERIES???????...........
THANK YOU