The Accidental Tester
I remember my first security bug. It was so simple, I stumbled over it accidentally. (Well, I told the very angry people who were upset with me that it was an accident.) The problem started with a developer who had left his or her user ID in a code comment on the login page for a production system. It looked something like Listing 1.
Listing 1 Source code for the login screen.
<TABLE cellSpacing = 0 cellPadding = 1 border = 0 width = "98%" align = "center"> <TBODY> <tr> <td class = "wb"> <table border = 0> <FORM method = "POST" name = "login" action = "/login" enctype = "application/x-www-form-urlencoded"> <tr> <td class = sb> login <input type = "text" name = "login_id" size = "32" maxlength = "64"/> </td> <td class = small> enter your username </td> </tr> <tr> <td class = sb> password <input type = "password" name = "password" size = "16" maxlength = "32"/> </td> <td class = small> enter your password </td> </tr> <tr> <td class = sb align = right> <input type = "submit" name = "submit" value = "login"/> <!-- u2x34t - Oct 12, 2004: Removed link to defect tracking system--> </td> </tr> </form> </table> </td> </tr> </TBODY> </TABLE>
In case you don't read HTML, note that the comment is enclosed in the <!-- --> tags. Out of curiosity, I entered the user ID (u2x34t) from the source code into the username field and tried to guess the password. I was rewarded with this:
The password you entered is incorrect. Please try again.
I say rewarded because the first user ID I tried gave me this error:
The user id you entered is not recognized. Please try again.
The specificity of the error messages for the system indicated that I was on the right track. I wouldn't have known that if the system had consistently displayed an error message similar to this one:
The user id and/or password you entered are incorrect, please try again.
At this point, I knew I had a valid user ID, but I still didn't have the password. I didn't want to simply guess because I didn't want to lock the ID (earlier tests had shown that to be a problem). Instead, I started to wonder about that comment the developer made in the source code:
Removed link to defect tracking system
I asked myself some questions: What tracking system? How did they remove it? And where did it go? I looked at the source for more clues, but none could be found, at least to my untrained eye. I needed more source code. I figured that if the developer left comments on the login page, there was a good chance he or she left them in other code as well. At the bottom of the login page was a link to a help page. ("Need help logging in? Forgot your ID?") I followed that link and looked at the source for the help screen, where I found something similar to Listing 2.
Listing 2 Source code for the help page.
<TABLE cellSpacing = 0 cellPadding = 1 border = 0 width = "98%" align = "center"> <TBODY> <tr> <td class = "wb"> <table border = 0> <tr> <td class = sb align = right> <!--<a href="http://URLForDefectTrackingSystem/%userIdParameter%.aspx"> Submit a ticket.</a>--> </td> </tr> <tr> <!--Help text was here...--> </tr> </table> </td> </tr> </TBODY> </TABLE>
To remove the link to the defect tracking system, the developer had simply commented out the link. Not only that—the link included a parameter for the user currently logged in so it would know who submitted the ticket. At that point, I had a URL that required a user ID, and I had a user ID. I simply copied the URL, pasted it into the address bar, typed the user ID in the appropriate place, and hit Enter. The system displayed an error page for a defect tracking system, stating that the system was no longer in use. I initially thought I had hit a dead end, but then I saw a link at the bottom of the page: "Return to application." I clicked the link and was rewarded with the home page for the application I was attempting to access. No password required!
After that, I was hooked, and I had to learn more about security testing. That day I bought a copy of How to Break Software Security (Addison-Wesley, 2003, ISBN 0321194330) by James A. Whittaker and Herbert H. Thompson. I'd like to say that I'm a famous white-hat hacker now, but I'm not. I'm just a tester who knows a little bit about security testing. I would still recommend leaving the high-risk testing to the pros, but I know how to find really obvious security bugs, and I'm always looking to learn more. If you're similarly intrigued, this article is for you. We'll review some helpful open source tools that you can download to help get you started with security testing.
Don't worry, you don't need to know anything about security testing to use these tools—in fact, one even counts on it. All you need is some patience and the desire to learn.