TUNE CWE 315 Vulnerability

This could potentially grab SSO account and could be used to log into iGracias which concludes that you can log in as a lecturer, staff and so on.

Possible fixes

One way to fix this is to hash out the password, and thus I gave out an advice for them to do so, but oh did they do it, they did hashed the password but then there’s this auto fill feature that fills the password input with the set hashed cookie password.

Basically you can use the hashed password as a bypass, At least I tried to alert them.

For instance, your password is mypassword, and the hashed (md5) password is 34819d7beeabb9260a5c854bc85b3e44, even if you pass down the hashed password onto the input field, the Wi-Fi would still let you log in.

Judging by how the password is treated, this might be a fairly similiar algorithm they use:

const verify_password = (password: string): boolean => {
    const stored_password: string = get_password_cookie()
    return password === stored_password || hash(password) === stored_password

The line where password === stored_password is where the problem lies. What the function should be doing is:

const verify_password = (password: string): boolean => hash(password) === get_password_cookie()

Maybe, this is better, even better if the password doesn’t get stored as cookie, i guess.

Writing a script

TUNE-CWE-315, I made this as a web extension to make it hard to set up, also on top of that I used CoffeeScript as the main language for more abstraction. I do this because I want to prevent script-kiddies from using it, aside from document.cookie to be easily found.

I made this to demonstrate that someone could have been targeting a specific person. While also counting as an exercise for me, since this is a real-world problem. You could also sniff out cookies, there’s tools like Wireshark and such.