SSO Ticket exploit

Status
Not open for further replies.
Rain

Rain

c
Mar 13, 2015
563
251
So, the SSO ticket exploit from a while back where they get into staff account with a blank SSO ticket, it's just happened to me on habsay as my staff ID was 1.

I checked the emu to see if it was making sure the SSO wasn't blank and it was;
F_cyIP6FSCqUNHDsZfrbsA.png

How was he able to do this?

When i set my SSO ticket to a value while i am online, he got on to an account called 'Hayley'
I-PX5wzTRE_mS1K13y7KPA.png


If it's checking for an empty SSO, and he still got on my account, why is that?
Is there a value he could've entered that's empty in mysql?
 
Last edited:
Sort by date Sort by votes
Rain

Rain

c
Mar 13, 2015
563
251
Jaden said:
He shouldn't be able to run any SQL if you're using prepared statements and binding the SSO variable.
Click to expand...
He's not running an SQL, he's just connecting to the client with a blank SSO.
The SSO variable is bound -
You must be registered for see links
 
Upvote 0 Downvote
Brad

Brad

Well-Known Member
Jun 5, 2012
2,320
993
Not 100% sure if this will work or make a difference with the check in place for an empty string. But maybe try adding SSO.Length > 0
 
Upvote 0 Downvote
Zodiak

Zodiak

recovering crack addict
Nov 18, 2011
453
417
Rain said:
?
You must be registered for see links
?
Click to expand...
Code: 
if (string.IsNullOrEmpty(SSO) || string.IsNullOrWhiteSpace(SSO) || SSO.Length < 15)
return;

No need for the extra code, because it shouldn't run anyway if the above if statement is triggered.
 
Upvote 0 Downvote
Rain

Rain

c
Mar 13, 2015
563
251
Zodiak said:
Code: 
if (string.IsNullOrEmpty(SSO) || string.IsNullOrWhiteSpace(SSO) || SSO.Length < 15)
return;

No need for the extra code, because it shouldn't run anyway if the above if statement is triggered.
Click to expand...
i feel as though there's a string that represents null or empty in an SQL query, that they could have used.
 
Upvote 0 Downvote
Damien

Damien

Don't need glasses if you can C#
Feb 26, 2012
434
647
Just separate the SSO tickets from the user table and delete them once the user has authenticated. I find is assuming how I got slated when I posted my version a while back, but yet I've seen people have nothing but trouble with this version.

Also if you're keeping the SSO's you're giving them the same opportunities to log onto random accounts (not as much, but still insecure).

The proper way it should be done is separate with a timeout, so if a connection isn't made within the given time. The SSO is destroyed automatically.
 
  • Like
Reactions: Joe
Upvote 0 Downvote
Rain

Rain

c
Mar 13, 2015
563
251
Damien said:
Just separate the SSO tickets from the user table and delete them once the user has authenticated. I find is assuming how I got slated when I posted my version a while back, but yet I've seen people have nothing but trouble with this version.

Also if you're keeping the SSO's you're giving them the same opportunities to log onto random accounts (not as much, but still insecure).

The proper way it should be done is separate with a timeout, so if a connection isn't made within the given time. The SSO is destroyed automatically.
Click to expand...
tru, will look into it
 
Upvote 0 Downvote
Status
Not open for further replies.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
☀️  Switch to Light Theme

Latest posts

Top