http://cw.com.hk/news/cx-booking-system-loophole-could-have-been-prevented
CX booking system loophole could have been prevented
The loophole at Cathay Pacific’s online ticket system that allowed a buyer to successfully jump a cyber-queue to purchase a promotional ticket is security vulnerability that “could have been prevented,” according to a Hong Kong-based security expert.
To celebrate the Hong Kong-based airlines being named the world’s best airline by UK agency Skytrax, Cathay Pacific on Tuesday launched a program that offered 2,014 business and premium economy tickets to 11 destinations at a price of only HK$100. The massive popularity of this promotion left tens of thousands disappointed as many potential buyers logged on the system at 8am only to find themselves far behind a massive cyber-queue.
But one lucky buyer was reported to have purchased a pair of tickets to New York by “playing around” with the URL, after the Web site indicated there were no flights left. The airline stated it is investigating the issue.
It's a result of both bad application design and security vulnerability to create “an exploitable loophole which could have been prevented,” said Richard Stagg, director and managing consultant at Hong Kong-based Handshake Networking.
Not keeping parameters in the URL
According to Stagg, placing parameters in the URL where the user can see and change them (rather than the more commonly used HTTP POST method that hides the parameters from the user) is a bad security practice.
“Not keeping parameters in the URL is a trivially easy way to address this vulnerability," said Stagg. "It doesn't actually fix anything, but it makes the process of tampering with the parameters much less attractive to an opportunist, and removes any grey areas on whether changing the parameters amounts to hacking”.
Alternatively, validation on the application side might have helped. “The original article was short on technical details, but it sounds like the system rejected the same parameters when they were entered in the proper way,” he said, “so apparently it can tell the difference.”
When asked what other possible threat such vulnerability could bring, Stagg explained that parameter tampering is a “business logic” vulnerability, which cannot be detected by automated vulnerability scanning.
“Only devious humans can find and exploit ‘business logic’ vulnerabilities,” he said. “That means if CX is relying on automated vulnerability scanning, they may be missing other examples of this same bug. “
He added that manual security testing and penetration testing are good ways to identify these types of problems. Guidelines from the Open Web Application Security Project (OWASP) also indicates static source code auditing and building a secure software development lifecycle are helpful to avoid similar problems.
No comments:
Post a Comment