Challenge 7 – Ratings
Rate them high.Rate them good.
Ratings systems are one of the main features of social web apps these days. Sometimes it is a simple like/love button or it can be a full-fledged five-star rating system. A user is supposed to rate an object only once.
Let us visualize the happy path with the help of a sequence diagram:
A close up of a logo Description automatically generated
That is just the happy path for one user rating the post. Let us reimagine the same scenario but with the same user acting at the same time from two browsers.
A screenshot of a cell phone Description automatically generated
There is only one condition to be met for a user to rate a show - they shouldn’t have rated the show before. If they have already rated the show, the app will remove the existing rating from the database.
Let us see if the application is performing those checks:
  1. 1.
    Go to the Admin page
  2. 2.
    Click on reset database button
  3. 3.
    Go back to the Admin page
  4. 4.
    Click on Create default users button
  5. 5.
    Navigate to the login page
  6. 6.
    Click on the first user button. This will load the user data for user Tom
  7. 7.
    Click on the Sign in button
  8. 8.
    Navigate to rate the program page
  9. 9.
    Click on the Love button
  10. 10.
    Note the message on the top that says You have 1 rating(s)
  11. 11.
    Click on the Love button again
  12. 12.
    Note the message on the top that says You have 0 rating(s)
We need to find a way to rate the program twice. How can we do that? What if we submit two rating requests in parallel?
Let us slow down TimeGap Theory:
  1. 1.
    On your browser, navigate to the Settings page
  2. 2.
    Change the time delay to 5 seconds
  3. 3.
    Click on the Save button
Now, TimeGap Theory will wait 5 seconds before every database write operation.
Preparation phase
  1. 1.
    Navigate to the Admin page
  2. 2.
    Click on the reset database button
  3. 3.
    Click on the create default users button
  4. 4.
    Open two browsers side by side (Use private/incognito window if you do not have two browsers)
  5. 5.
    On both the browsers:
    1. 1.
      Navigate to the login page
    2. 2.
      Click on the first user button on top. This will fill the user data for user Tom
    3. 3.
      Submit the form to log in as Tom
    4. 4.
      Navigate to the rate the program page
Alright, the preparation is done. Here comes the exploitation phase.
Exploitation phase
  1. 1.
    Click on the Love button on the first browser
  2. 2.
    Go to the second browser as soon as you can
  3. 3.
    Click on the Love button on the second browser
That’s it. Let us see the result:
Post-exploitation phase
  1. 1.
    Let us wait for both the browsers to complete the request
  2. 2.
    Note the message on the top that says You have 2 rating(s)
  3. 3.
    If you check your scores, you will see that you have got 100 points for solving the rate the program challenge
  4. 4.
    Don't forget to change the delay to 0 on the Settings page.
A picture containing drawing, light Description automatically generated
Automation time
As always, we need a way to automate this.
Pro-tip - you can skip this in real life if the webmaster is your friend and is ready to slow down the server for you.
First, we need a valid fetch request:
  1. 1.
    Open your browser ( Chrome or Firefox)
  2. 2.
    Navigate to TimeGap Theory > Webapp > Login
  3. 3.
    Click on the first user button. This will load the user data for Tom
  4. 4.
    Click on the Sign in button
  5. 5.
    Navigate to the rate the program page
  6. 6.
    Open up dev tools by pressing F12 on the browser
    1. 1.
      On Windows, you can use Ctrl + Shift + I
    2. 2.
      On Mac, you can use Cmd + Shift + I
  7. 7.
    Click on the Love button
  8. 8.
    On the browser dev tools, click on the Network tab
  9. 9.
    Right click on the rate-the-program.php request
  10. 10.
    Click on Copy > Copy as fetch
Timeline Description automatically generated
Paste that on the Console tab of the browser dev tools. You will get something like the following:
Graphical user interface, text, application Description automatically generated
Based on how playful your browser is, you may see a slightly long fetch request. Feel free to trim it down to the bare minimum version shown above.
Now we have a request.
And we need two requests.
It can be done by copy-pasting the fetch request without pressing the Enter key. However, it is a good practice to separate each request with a comma. Let us do that
Graphical user interface Description automatically generated
Before running this new command, we need to clear the slate. It involves three simple steps:
  1. 1.
    Ensure that there is no delay
    1. 1.
      Go to TimeGap Theory > Settings
    2. 2.
      Ensure that the delay is set to 0
  2. 2.
    Reset database and create users
    1. 1.
      Go to TimeGap Theory > Admin
    2. 2.
      Click on Reset database button
    3. 3.
      Go back to TimeGap Theory > Admin
    4. 4.
      Click on Create default users button
  3. 3.
    Clear the current score
    1. 1.
      Go to TimeGap Theory > Score
    2. 2.
      Click on the Clear button
Diagram Description automatically generated
Alright, our slate is clear. Let us execute the attack now:
  1. 1.
    Navigate to the Sign In page
  2. 2.
    Click on the first user button on top. This will fill the user data for user Tom
  3. 3.
    Click on the Sign In button
  4. 4.
    Enter the combined fetch request on the Console tab of browser dev tools
  5. 5.
    Press the Enter key
  6. 6.
    Refresh the page
  7. 7.
    You will see that our attack attempt is unsuccessful.

What happened?

Three things went wrong in here:
  1. 1.
    TimeGap theory now has a CSRF prevention token in the request. This needs to be valid in order for the requests to be successful.
  2. 2.
    This page of TimeGap Theory is authenticated. We need to supply the cookie as well in order for this request to be successful
  3. 3.
    Since an authenticated session is involved, webapp is treating the executing requests one by one when it is from the same session
We need to solve all three problems.

Problem 1 - CSRF token

  1. 1.
    Open your browser and navigate to the Rate the program page
  2. 2.
    Open browser dev tools
  3. 3.
    Open the Network tab
  4. 4.
    Click on the Love button several times
  5. 5.
    On the dev tools, click on each request to rate-the-program page
  6. 6.
    See if we can find the nature of the anti-CSRF token
  7. 7.
    Note that the anti-CSRF token is same across all the requests
Fetch request does not support sending cookies. We need an alternate solution. cURL supports sending cookies. We will use that.

Problem 3 - Only one request per session

A picture containing icon Description automatically generated
This can be solved by creating two sessions for the same user. How can we do that? We will just sign into the same account from two different browsers. Each session will be having their own anti-CSRF token as well.
First, we need two valid cURL requests.
Let us obtain the first one:
  1. 1.
    Open your browser ( Chrome or Firefox)
  2. 2.
    Navigate to TimeGap Theory > Webapp > Login
  3. 3.
    Click on the first user button. This will load the user data for Tom
  4. 4.
    Click on the Sign-in button
  5. 5.
    Navigate to the rate the program page
  6. 6.
    Open up dev tools by pressing F12 on the browser
    1. 1.
      On Windows, you can use Ctrl + Shift + I
    2. 2.
      On Mac, you can use Cmd + Shift + I
  7. 7.
    Click on the Love button.
  8. 8.
    On the browser dev tools, click on the Network tab
  9. 9.
    Right-click on the enter-coupon.php request.
  10. 10.
    Click on Copy > Copy as cURL
For getting the second one:
  1. 1.
    Open another browser ( Chrome or Firefox)
  2. 2.
    Navigate to TimeGap Theory > Webapp > Login
  3. 3.
    Click on the first user button. This will load the user data for Tom
  4. 4.
    Click on the Sign-in button
  5. 5.
    Navigate to the rate the program page
  6. 6.
    Open up dev tools by pressing F12 on the browser
    1. 1.
      On Windows, you can use Ctrl + Shift + I
    2. 2.
      On Mac, you can use Cmd + Shift + I
  7. 7.
    Click on the Love button.
  8. 8.
    On the browser dev tools, click on the Network tab
  9. 9.
    Right click on the enter-coupon.php request.
  10. 10.
    Click on Copy > Copy as cURL
Now that we have both the requests. Let us run them in parallel:
  1. 1.
    Open your command prompt/Terminal window
  2. 2.
    If you are on Windows
    1. 1.
      Type start /b
    2. 2.
      Put a space
  3. 3.
    Enter the first cURL request
  4. 4.
    Put a space
  5. 5.
    Enter the ampersand symbol (&)
  6. 6.
    Put a space again
  7. 7.
    If you are on Windows
    1. 1.
      Type start /b
    2. 2.
      Put a space
  8. 8.
    Enter the second cURL request
  9. 9.
    If you are on Windows
    1. 1.
      Remove the following parameter from both the requests --compress. Some versions of cURL do not support this feature.
  10. 10.
    Now, press the Enter/Return key.
Let us see if we are successful or not:
  1. 1.
    Go back to any of your browser window
  2. 2.
    Refresh the rate the program page
  3. 3.
    Note the message on the top that says You have 2 rating(s)
  4. 4.
    Check if you got points for completing the rate the program challenge
What would be the business impact of such an attack? Depending on how the app is designed, there are several possibilities:
  1. 1.
    Users will be able to bombard the system with infinite number of fake ratings/reviews
  2. 2.
    If this is an online election system, voters would be able to make multiple votes
Let us review what we did:
  1. 1.
    The rate the program feature limits the number of times one can rate the program
  2. 2.
    You analyzed this behavior by trying to rate the program multiple times
  3. 3.
    First, you slowed down the system and bypassed the business logic
  4. 4.
    Then you tried bypassing the business logic by using browser dev tools
  5. 5.
    You learned the difficulties involved in exploiting TOCTOU vulnerabilities when there is an authenticated session
  6. 6.
    Now you know how TOC/TOU security issues in the real world
Last modified 10mo ago