Wednesday, March 3, 2010

Don't Need No Stinkin' Coupon Print Activator

This is a real-life example of exploiting a web application security flaw. I received an email from Discover Card offering some Lowe's coupons.
I was needing to buy some stuff there anyway, so I decided to grab them.
I was soon shocked and amazed. Turns out they expect you to download an executable (something called a"Coupon Print Activator") and run it just to print the coupons.
I am not in the habit of running strange .exe's.
But, I really wanted those coupons (and perhaps sensed my hacking skillz were being challenged). I looked at the requests being made to the server, and noticed that dsppreprint.cfm had some JavaScript pointing to interesting URLs, one to "print.cfm" and one to "print_noplugin_redirect.cfm". The query strings were radically different between the two, so I decided to append the query string from print.cfm onto the other .cfm file.
This hybrid URL ended up in a round-about way returning some HTML with an "embed" tag with a bunch of attributes. One of the attributes was very interesting to me.
A request to this URL returned some raw data that appeared to be meant for consumption by the Coupon Print Activator. It also led me to discover yet another URL.
A request to this URL returned the following jpeg image (numbers masked to protect something or other):
So I got a bar code. Wonder if I could print this bar code and use it at the self-checkout at Lowe's? This would not be unethical as I was entitled to the coupon anyway. I just didn't want ro run that Activator thingy! As a simple test, I jumped over to Lowes.com and added a ceiling fan to my shopping cart. There was an input field for "Promotional Code".
Proceeding to enter the number that appeared below my bar code, I was pleased to see my $10.00 discount applied.
To sum up, coupon obtained, Activator thingy bypassed. Sorry I do not have time get into how this site could have been written more securely. Suffice it to say that exposing data, URLs, and client side logic is not good.

1 comments:

Anonymous,  6/23/2012 11:00 PM  

Interesting. Target.com is doing the same, only they've obfuscated the underlying logic. Been playing around with it last week .. still a work-in-progress:

1. Go to http://coupons.target.com/
2. Select coupons
3. Click the in-page Print btn
4. On "install coupon activator" page, change URL to http://coupons.target.com/print-processing
5. Examine cookies (using F12 in IE9)
6. Locate cookie "CouponCookie" and run its value through a URL DEOBFUSCATOR tool such as http://www.webtoolhub.com/tn561351-url-deobfuscator.aspx

Original value (the coupons you selected):
1831174%2C1831479%2C1831606

Deobfuscated:
1831174,1831479,1831606

These are clearly the Coupon IDs. Now I am looking for the image rendering logic to feed those values and generate my coupon image :)

Thanks for the great tip. It's complete bull$h!t that we are expected to install software which REQUIRED administrator approval, offers NO security or guarantee that some hacker won't figure out a way to EXPLOIT this UNSAFE plug-in.

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP