This is your every day, ticket serving Amtrak kiosk. Look familiar?

I love taking the train. God, the only thing better than taking the train would be taking the train for free.

Whoops. Thanks for the ticket, Marge Power, traveling from Alexandria, VA.

How was I able to do this? Direct object references (DOR). Laughably, ridiculously easy attacks. Is this a Diebold product? It’s no wonder that with this level of security, a 14 year old kid from Kerplakistan with a pasta drainer, wireless mouse and a shoebox was able to completely derail their trains. I’ve told my the webappsec classes that the easiest way to steal a bunch of information from a website is through direct object references. My wife could perform a DOR attack, and if you think she knows anything about security, I can just tell you she has like 5,000 Facebook applications with full privileges running.

So, let’s get to the really gory, technical details of this Mitnick like hack.

My confirmation number was 01CF01.

I typed in 01CF04.

Maybe it was by accident, Amtrak, and maybe it wasn’t. Regardless, I got Marge’s ticket offered to me. Look at the screen again. See the “Print Tickets” option? I’m sure this does happen all the time by accident. Whoever made this horribly insecure contraption knew that, too, because on the first picture, if you look closely, there’s a “Not you? Click here to try another confirmation number” button as well. You don’t need an ID to board a train, remember.

Incidentally, Marge Power is such a badass name. That’s why I didn’t get her tickets out. She sounds ripped. Anyway, imagine the same kind of functionality on a website:

http://bank.com/viewProfile?accountID=101

Hrm. How about 102? Or:

http://bank.com/viewReport?file=arshan.pdf

Hrm. How about ../../../../etc/passwd? When we learn to program, we’re not taught security. We’re taught to pass our test cases and include as much functionality as we can. Maybe we can sneak in a little blurb about data ownership into our curriculum, say, instead of DFDs or UML or anything else that 90% of web developers never even use? Even harder to imagine teaching doe-eyed comp sci students security is the prospect of teaching stuffy old professors about security.

Anyway, hope your March Madness brackets are doing well. I have my alma matters Towson University and Essex Community College meeting in the final, with Essex snatching the victory in classic underdog fashion from Towson in triple overtime – on a jumper from some 19-year old father of 2, making the end score 45-44. Sure, neither were in the tournament, but you know how those later rounds are weighted. If I nail the final I’m taking home the dough.