Tag Archives: PHP

Representative Line: The Deadly Cookie

Over the years, Armid transitioned from being a full-time developer to a full-time pen tester (as in penetration testing, not pen testing) and he hasn't looked back since. "I did enjoy writing code," he commented, "but there's something really satisfying about demonstrating an XSRF attack to that smug developer who swore up-and-down that his code was perfect." And with things like PCI Compliance to worry about, there are plenty of projects to keep him busy.

"It takes a lot to surprise me anymore," Armid added. "In fact, these days, I'm surprised if I don’t find a SQL Injection vulnerability. That being said, the public-facing operations engine of a large (3,000+ employee) company really surprised me. To say that it was filled with back doors would almost imply that someone thought to install doors — this system has more openings than walls. But there was one vulnerability in particular that trumped them all."

system("chmod 777 " . $_COOKIE["$sessionid"]);

"In fairness, this was one of the more secure lines of code, since most attackers will only mangle their cookies as their fourth… maybe fifth step. Plus, they'd be so distracted by all of the other vulnerabilities that they'd likely overlook this all together."