FlyerTalk Forums - View Single Post - What do BAEC FTers use to track their flight history?
Thread: What do BAEC FTers use to track their flight history?
View Single Post
Old Jun 26, 2018 | 6:24 am
  #21  
JSinjector
 
Join Date: Jun 2018
Posts: 2
The ba97.com site mentioned by some users in this thread has MAJOR security vulnerabilities, and I have inadvertently damaged the site. Moments ago, I was on the map page. If you access this page while not logged in, you are prompted to enter a username to see that user's map. Moreover, an autocompleter suggests usernames once you type a few characters (or, at least, it used to). The thing is, the server puts the full list of every username for the autocomplete as a Javascript array in a script tag in the plain text HTML. I was curious whether this really could be as bad as it looked, and yielding to the luring temptation (which I now regret), I registered on ba97.com with a username tester3\'. To my great surprise, the server accepted the username, and even worse, sent it back into the HTML unfiltered! The escaped \' of course renders as a ', ending the string list and apparently giving me free access to the script tag!

Since I have no malicious intentions, I didn't add "] + dangerous code" to the end of my username (and I dare not try anything else again), so now all that happens is the Javascript has a syntax error and doesn't compile, breaking the autocomplete and apparently the entire query too. So now we can't look up other user's records. Sorry for breaking it, but this vulnerability could be exploited to do terrible things. Javascript runs on the client and has access to the client's computer's hardware and file system...

To the developer of the site: I am sorry for breaking the site (and it was truly accidental), but your site's security is unacceptable. You need to either restrict usernames to letters and numbers, or not allow usernames to escape in the HTML. Better yet, don't put everyone's username in a client-side script tag...keep them on the server! Query the database asynchronously to handle the autocomplete (this is really easy nowadays).

To everyone else: do NOT load ba97.com in your browser unless it is totally contained from anything sensitive.

NB. The syntax error introduced by my username will make it harder for others to exploit the vulnerability, because it will prevent the JS from compiling even after malicious code is injected, so actually my accident is helping to defend the developer and all the site's users. This is why I have decided to publicly expose the vulnerability on this thread.
JSinjector is offline  
Reply