I didn’t want to try something risky, but I noticed at least two suspicious things. By that I mean there could be some open opportunities for hacking:
1) ”http://www.paypal.com/en/cgi-bin/webscr?cmd=_logout” – it you go to this url while logged in, your session is terminated.
Possible exploit: you can create a repeating (hidden) script (maybe on some webpage) – so that the user will believe he/she cannot login at all.
2) I am able to send money and create accounts for emails starting with “%”
Example “%firstname.lastname@example.org” (You can check it for yourself – Password is “!QAZ2wsx”)
Possible exploit: the fact the char is not validated, might be considered a weak spot for hackers, by trying different alternatives.
Even if both issues are not exactly a problem, it shows that they didn’t do some type of needed testing.
(I am going to send this to their support)
Edit: Ok, I got a simple script as example for the logout issue
1) Open this url http://www.testalways.com/exploits/1.html (reloads an iframe with the link)
2) In another tab/window of the same browser login into the Paypal account (you can create one just to test it – you don’t have to enter any private data)
Behavior: User is disconnected quite fast without realizing what is going on
Conclusion: The value of a bug might depend on possible exploits.
This is an example of a behavior that is known, but maybe not much thinking was done in relation to security.
Another thing is the usage of same libraries for developing web applications. These bugs are identical to issues I found for a previous client.
I want to recommend this tool http://code.google.com/p/knull-shell/downloads/detail?name=knull-shellv1-beta.php for testing security issues.
With it I was able to hack into one of my client’s web server (literally the server that hosted the web application) and was able to create folders and delete files.
The script can be used for hacking a web application in places where you can upload images or any other files.
Example of a scenario:
1) Check if the web app has a section to upload an image (usually user profile)
2)Use an image with a specific name that you can recognize and upload it
3) Check after upload and storage where is the image now located (check if the name is intact ; check if the size is the same )
4) If the image is stored with the same name or is not altered, you can try uploading the knull-shell script and the check the url
5) if the url of the stored file ends in …/some_location/knull-shellv1-beta.php and permissions are set badly, you can try to execute that script by opening that url
6) If you are successful you should have something like this:
and you should have something like this
Now you can try to see how far you can go!
Although I am not very interested in New Year’s Eve and passing in a new year from the protocol perspective, I think its a good time to point out some general directions.
I believe overall the past year was very good in relation to my testing experience.
The details are important, but can change, that’s why I tent to set general goals (it also gives more options to use as a solution):