**Read Part 1 to get the full picture of post**
Notice that there is no user confirmation that the phone number is correct and that I really do want to receive the results via SMS especially because receiving the results comes at a cost of B$3.00! Yes it does give a cancellation code which I could have sent back to not receive the results SMS. The delay between the 2 SMS’s was 3 minutes which is ample time to send a reply, if you are actively checking your phone.
Exploit #1: Overwhelming a single person with many result SMS, and having them be charged at $3.00 a piece. If the person is using a prepaid plan, you could effectively use all their credit creating a denial of service attack. If they are using a post paid account they could just rack up the charges.
Solution: Request users to send a confirmation SMS saying they do indeed want to receive the results.
Taking things a bit further I tried a few things like putting invalid data. Good enough they did validation of the data I put in.
Exploit #2: By pass client side validation of data
Solution: Use server side validation of data, in this case in the PHP code
This exploit relies on the fact that the application assumes that the information it receives is valid data. This should never be the case. You cannot assume that the user will input the correct information, you must sanitize the data accordingly to ensure that you only have valid data in your application. It is things like this that lead to SQL injection which could cause catastrophic results on your server and even information theft. So whenever designing and implementing any system, you as a developer should do you job properly and factor this in and ensure your application does not suffer from this flaw.
2 thoughts on “A Lesson in Web Application Security Part 2”
Well you did everything you could. Now just hope they actually fix the problems.