Hunter Tip #2 Nullie the Elephant



 



Summary:



This is a quick paper about another typical attack I find that has proved successful throughout my own bug hunting.  It is likely this may often be over looked by Bug Hunters.  So I am sharing another tip with you.



Description:



Unfortunately I do not have any real examples I can show you as the programs have stated “no disclosure”.  That being said, I recently discovered another successful attack using this method in a financial services program, so I will talk around this discovery.  In this attack, I wanted to gain access to other people’s card information.



Below is an example of POST data within a normal request.  (I have reduced the POST data to the relevant fields)



{“name":{"first_name":"Mark","last_name":"Litchfield"},"phone":"5555555555","CardNumber":"548401066"}


 



This would return a lot of user information, to include




  • First name

  • Last name

  • Home phone number

  • Cell phone number

  • Full postal address

  • Email address

  • Date Of Birth

  • Card Rewards

  • Secret Question – why ??

  • Secret Answer – definitely why ??



 



So the first stage would be to simply enumerate the CardNumber parameter.  However this replied with:



We’re sorry, but your information doesn’t match your profile. Please retry using your first name, last name, your account number and mobile numbers



So at this stage, we would need to know quite a lot of information to get access to the card.  In a real attack scenario, this would essentially be game over.



However, I persisted and sent:



{"name":{"first_name":"","last_name":""},"phone":"","CardNumber":"548401066"}


 



Same error, I tried again with



{"CardNumber":"548401066"}


 



Same error. 





This time I sent a true NULL value (note the absence of the quotation marks)



{"name":{"first_name":NULL,"last_name":NULL},"phone":NULL,"CardNumber":"548401066"}


 



It passed the application server side checks and returned me the following information.  Clearly in this request, we did not send the First Name / Last Name / Phone Number, but it happily returned us the values.




  • First name

  • Last name

  • Home phone number

  • Cell phone number

  • Full postal address

  • Email address

  • Date Of Birth

  • Card Rewards

  • Secret Question

  • Secret Answer



 



I have seen this work on a number of applications.  So when in doubt, always try a NULL