Neo-Hippie Ramblings - I'm a Non-Conformist Just Like All My Friends: Hacking my employer's intranet

Friday, January 21, 2005

Hacking my employer's intranet

The best part about being a software tester is that you get paid to engage in activities that could normally get a person disciplined, fired, and/or thrown in prison. It's kind of like being an undercover narc, without having to destroy peoples' lives. Also without any sort of glamour.

Anyway, enough digression. A month or so back, our status reporting procedure changed. We went from dumping a Word file into a LAN folder every Wednesday afternoon to using a Web-based status reporting application on the corporate intranet. And being quality assurance, my department received the dubious honor of piloting its use.

The thing was, the group that developed the status reporting app didn't bother to investigate what we really needed - they just designed it based on some vague assumptions and their own department's reporting guidelines. End result: more work for the end users of the application and far less functionality than plain old Word.

After a few weeks of wrestling with this thing, I decided to start having some fun with it. My goal now is to find a new bug every week. I'm two for two, so far.

Week 1: Entered an HTML paragraph tag (<p>) into a text field. Clicked the 'add record' link. Bam! Unhandled exception error (bad) with a verbose server side error page (really bad).

Hee hee - did the booty dance in my cube!

Summarized the behavior and steps to reproduce and passed them along to the rep in my department coordinating the beta test. Lead developer's response: "Added a validation to fix the problem. Tell [my name] to do his worst".

Evil grin.

Week 2: Tried SQL injection without success. Bummer. That would have been a beaut, and probably would have worked because of a lookup database link. Should have tried it before I got them to start sanitizing entry fields in response to the HTML tag error.

Ok, time for my next dirty trick: Overflow. Searched through an old project folder for a big, honkin' text file. Bingo -- 10MB of bogus names and addresses. Copied it out of notepad and pasted it into a text field. Waited for the hourglass to flip a few times while the paste operation hogged the processor. Clicked the 'add record' link. Bam! Short lag followed by a 'Page not found' error.

Hee hee - did the booty dance again!

Summarized the behavior and steps to reproduce and passed them along. Lead developer's response: "Field size validation on the database side wasn't getting picked up on the client side. Adding a custom validation to the client".

Hmmm... no taunt this week.

I have a little under 5 days left to dream up my next plan of attack. Some of the javascript field validations are being reported in the status bar, but others are not, so I may be able to find weaknesses there. If not, maybe I'll try messing with duplicate entries.

0 Old Comments: