Random links #10

Written on 18 March 2017, 03:25pm

Tagged with: , , , ,

Random things – session hijacking

Written on 18 March 2017, 11:53am

Tagged with: , ,

Two notes about session hijacking methods:

Difference between stored and reflected XSS attack

Stored or persistent XSS attack – relies on user input stored on the server. Best example – a comment in a news site.
Reflected or non-persistent XSS attack – relies on user input sent in the HTTP query parameters. Best example – site search, showing the keyword after search
Play the XSS game: xss-game.appspot.com

Session fixation

In a nutshell, session fixation means that the attacker obtains a legitimate session ID from the server and then it makes the victim browser to use it. See example.
The counter-measures are quite simple:
– do not accept setting a session id via URL/POST parameters
– change session id after user login
– just use HTTPS and secure cookies, it’s 2017 and HTTPS adoption reached the tipping point

Working around a metered paywall

Written on 11 March 2017, 10:20pm

Tagged with: , , , ,

Back in 2011, when I started this blog, I had a list of things I wanted to talk about. I recently reviewed this list and I noticed that one of my questions back then was about the restriction of content: after reaching a certain number of free articles, some websites ask to pay before continuing. This system is named metered paywall and one example of website using this mechanism is NYTimes.com.

I was curious about the technical implementation of this system and I did a little research (fun Saturday evening project 🙂 ). After reaching the maximum number of free articles, I tried to see how easy it is to continue reading.
First, with the stateless design of HTTP in mind, I tried clearing the browser storage:

No success, so moving on.
Second, I noticed that I could bypass the metered paywall by opening articles in incognito windows.
Third, I also noticed that disabling JavaScript in a normal browser window also turned off the paywall:

This only means one thing: that the NYTimes metered paywall is client-side only, meaning that it can be overridden by disabling JavaScript. I was expecting a server side implementation, but it looks like the client-side was enough for NYTimes.
With this in mind, it took me only a few minutes to find the JS file implementing the metered paywall and adding it in AdBlock Plus. I will not disclose it here; the plan is to get in touch with NYTimes to confirm this is the intended behavior. I’ll update this post if I have more news.

PS: Yes, I do have a NYTimes subscription 🙂

Update April 2017: I cancelled my NY Times subscription: