Updated: 3/18/2006, 1:00PM EST
Recommendations updated (#6), as users seem to be having trouble finding vulnerabilities.
Check change log at bottom of page for non-latest updates
1. E-Auction
http://129.22.151.168:8080/ws1Client/sampleManageUserProxy/TestClient.jsp
2. E-Social
http://129.22.150.217:8080/ws2Client/sampleManageUserProxy/TestClient.jsp
3. E-Poker
http://129.22.151.38:8080/ws3Client/sampleManageUserProxy/TestClient.jsp
Recommendations:
1. Register two or more accounts.
2. Keep 2 or more browsers open while using each service. This will allow you to act as 2 different users and perform interactions (1 account creates a listing, 1 account places a bid).
3. Use Find à Ctrl-F (or Apple-F) to find method names you wish to invoke. Use the api_summary: method_summary.htm as the methods are grouped into more readable fashion. I’m not sure why the auto-generated client jumbled up all the method names, but I’ll try to fix it.
4. If you are unsure of a parameter’s type, each parameter’s data type is listed in the () after the method name. For example:
createEventMessage(java.lang.String,java.lang.String,long,java.lang.String,java.lang.String,boolean)
Parameter Name Parameter Type:
1 user_name: String
2 password: String
3 event_id: Long (Integer type)
4 subject: String
5 contents: String
6 public_view: Boolean (valid input: true or false)
Note that the parameter information api lists this as well (for each web service).
5. Most (not all) vulnerabilities have a textual addition, indicating exploitation. Example:
No vulnerability exploited: Bid History: [5, 10, 15].
Vulnerability exploited: Bid History: [5, 10, 15]*.
6. As a starting point, look at numeric parameters. What are ranges of values that a programmer may forget to check/validate? Specifically, I used the absolute value method for a lot of the vulnerabilities.
7. In E-Auction, there might be ways of doing things after the auction has ended…refer to point 6. Look at BuyItNow auctions, specifically. Also, look for additional information about bids or listings…refer to point #6.
8. In E-Social, requesting relationships is a powerful feature. But, this is the only vulnerability that exploits a problem with passwords…can you guess what it is? Refer to point #6 for joining groups and events. Try viewing messages or searching for other users with hint #6. Also, try blocking other people and unblocking people, vulnerabilities are activated.
9. In E-Poker, try various table functions multiple times in a row. Also, isn’t it a strange that I have an overloaded game and table functions (ones with the table id, and ones with the table id and the seat id)? The chat method has some extra features. Learn some poker lingo and look at the parameters in setting up the game (limit structure, small blind, big blind, ante amounts, etc…)!
Common Interfaces
Registration – registerUser()
Enter in a user id, password, name, and email address. You will need to register for each web service, as registrations are separate. Multiple registrations are allowed per email address (it is encouraged). Registration email addresses should correspond to the entry email address (the email address that will be sending screen shots). If you forget your password, just create a new account.
loginUser()
This method DOES NOT count toward the “vulnerability” count. (Thanks to Ben Chodroff & John Wagster for bringing this to my attention). Prior to invoking any web service method (except registerUser() and loginUser() ), this method is invoked to make sure login information is correct.
I. E-Auction
Reference: http://www.ebay.com
A sample use case (sequence of actions) for this method is available here: use_case.htm
A. Creating a listing – createStandardAuction(), createSilentAuction(), createBuyItNow()
Three different types of listings are used. Note that the close days, hours, minutes, and seconds refer to the length of time when bids can be placed. The future time attributes refer to the cutoff time when a bid can be proxied. Listing types correspond as follows:
StandardAuction is similar to an ebay style auction. Users place bids, with the highest bidder winning the listing.
SilentAuction are like standard auctions except that bids can not be seen until the listing has closed.
BuyItNow auctions close after the first qualifying purchase.
Successful execution will return a long value, the listing’s id number.
B. Create a bid – createBid()
It is best to examine the listingInfo() method for the auction that you wish
Bids can be placed at the current time, or at a time in the future before the end of the auction. Bids placed in the future are indicated by execute variables. By placing 0s in each of these values, the bid is placed immediately.
Successful execution will return a long value, the bid’s id number.
Retraction of bids and listings are provided as well: retractBid() and retractListing().
C. Bid or Listing Information – bidInfo() and listingInfo()
Current bid or listing information is provided by the appropriate info() methods. Descriptions of each string element is contained in the appropriate infoDescriptions() methods.
D. Make your listing more viewable: Use Keywords and Categories
Keywords and Categories can be searched, added, or deleted via appropriate named add(), delete(), and search() methods. Currently, categories are just numerical entries. Keywords can be searched only for exact phrases. Searches return listing ids that match the given search criteria.
II. E-Social
Reference: http://www.facebook.com
A. Create a Profile:- registerUser()
A new profile is created per each registration, where a number is returned representing the unique profile id. Each profile can be modified to include various personal data, such as favorite interests and contact information. This is done via the updateProfile() function.
B. Update Profile – updateProfile()
Users can add or modify information as follows: Examine the social_info.htm file for the specific attribute to update. Find the corresponding attribute, and then enter in the text to change it to.
For example, to add my address:
User Name: name
User Password: password
Attribute: address
Text: 10
My
Refer to the social_info.htm for all available attributes.
C. View Profile – profileInfo() and profileSelfInfo()
ProfileInfo() method displays the profile of the user requested, based on current security settings. ProfileSelfInfo() provides logged in user’s personal information.
D. Search for Other Users
Profile information can be searched via the searchParameters() method. This is listed under the search column (yes = searchable, no = not searchable).
E. Security Settings
Profile data is grouped into various categories. Attached is an attribute to security setting mapping. These values range from 0 to 5, where 0 is private and 5 is public. Settings can be modified via changeSecurity().
Setting: Reference the table, social_info.htm under column name security heading.
Values: 0 – private information (only viewable to self)
1 – info for the security setting available to mutual friends
2 – “ ” available to friends
3 – “ ” available to friends of friends
4 – “ ” available to friends of friends
5 – public information
Example: To allow only friends, mutual friends, and self to see my address.
User Name: name
User Password: password
Setting: basic
Value: 2
Refer to the social_info.htm for all available attributes.
F. Events and Groups
Users can create, join, or request to join groups or events. Creation of a group or event will return a unique group or event id respectively.
Public Events/Groups – use the attendEvent() or joinGroup() method
Private Events/Groups –
1. Non-owners: Users must request invites via the requestInviteGroup() or requestInviteEvent() with event or group id parameter. The user who created the event must approve. The rejectEvent()/leaveGroup() can delete the user from the event/group.
2. Owners: Owners can see who was invited by the myPendingInvites() method. Approve invites by approveEventInviteRequest()/approveGroupInviteRequest().
searchEvents() and searchGroups() methods allow searching for groups.
createEventMessage() and createGroupMessage() allow messages to be sent to group or event members.
G. Messages – createMessage(), viewMessageDetail(), myMessages()
Six variations exist, ranging from views to other_ user to people related to addressee: createPrivateMessage(), createMutualFriendsMessage(), createAllFriendsMessage(), createAllFriendofFriendMessage(), createFriendAssociatesMessage(), and createWallMessage().
myMessages() show all message ids for a particular user
viewMessageDetail() shows the actual contents of the message (if the viewing user has enough security privileges).
H. Relationships – myPendingInvites(), requestRelationship(), confirmRelationship(), denyRelationship(); blockRelationship(), unblockRelationship()
A sample use case (sequence of actions) for this method is available here: use_case.htm
Relationships are used to grant permission to other users to view other information. They also are a public acknowledgement of a friendship between two users. Generally speaking, users who are friends, or are friends of friends of a user, are able to view more information and increase their member points score. Users request a relationship with another user via requestRelationship(), while the other party can confirmRelationship() or denyRelationship(). Also, a relationship can be removed by either member via removeRelationship(). Users can be blocked and unblocked via blockRelationship() and unblockRelationship().
Users can see who is requesting a confirmation via the myPendingInvites() method. It returns all user ids that are requesting a relationship with the user.
I. Header Methods: myMessageHeader(), etc.
Headers provide additional information about each answer or query returned. Since results are returned as string arrays, these header columns provide a brief description of the contents of the corresponding array position. For example, profileHeader[0] = “Name”, while answer[0] = “My Name”.
III. E-Poker
Rules of Texas Hold ‘Em can be found here:
http://www.pokerstars.com/holdem.html
A sample use case (sequence of actions) for this method is available here: use_case.htm
Novice recommendation: A free java poker client is available
from http://www.pokerroom.com/. I
strongly recommend using this to get a feel for playing
A. Account Information – refillPlayChips(), depositRealMoney(), refillPlayMoney(), etc…; user
Users start with 1000 play chips and 0 real money dollars. Users can request up to 3 play money refills to 1000 play chips per half hour via refillPlayChips() when their chip count is below 100. Since there is no way to seed real money funds, real money can be deposited using the depositRealMoney() method. Funds can also be transferred via the transferPlayMoney() and transferRealMoney() methods.
B. Create a table and wait for players to start a game. – createTable()
Users call the createTable() method to create a table so that other users can join the table. The table creator can set the game type (texas), bet limit restrictions (limit, pot limit, no limit), and other options. Once two players have joined a table, a game begins.
C. In-game Information currentHandInfo(), currentSeatInfo(), currentGameInfo(), allQueues(), and availableActions()
As a hand progresses, the currentHandInfo(), currentSeatInfo(), currentGameInfo(), allQueues(), and availableActions() methods give information about the status of the current game and hand actions that have been placed in queue by the user.
D. Info on actions occurring so far - gameLogs() and tableLogs()
If you’re not sure what actions (cards dealt, bets placed), use the gameLogs() and tableLogs() methods to obtain past action(s).
E. Game Functions: foldHand(), checkHand(), callHand(), betHand(), raiseHand()
Players perform actions such as bet, check, call, raise, and fold by logging in and entering their table id and optional seat id and invoking their respective functions. There are also auto-functions; when set, these perform the action if it is the player’s turn to act. Users can also add chips, leave a table or sit out immediately or at the end of the current hand by invoking the corresponding functions.
Games continue to be dealt until there are less than 2 active players waiting to play the next game. Users who end a hand with 0 chips will be placed in “sitting out” status.
F. Auto-functions: autoFold(), autoCheckFold(), autoCheck(), autoCheckCall(), autoBet()
Auto functions allow action to continue without having to wait for the current user(s) to act before you. This speeds up action. If an auto function exists and the user’s turn to act comes up, then the queued method is invoked only if it is applicable in this situation. Otherwise, the user’s turn is not passed. This is not an essential function to learn how to use, it is provided as a convenience.
These inputted actions are seen in the allQueues() method until they are automatically called.
G: Table Functions - sitOutTable(), sitInTable(), leaveTable(), addChips(), sitOutNextHand(), leaveTableNextHand(), addChipsNextHand()
If you run out of chips at a particular game, you will need to refill chips (if you have chips in the account). If you don’t have chips in the account, use refillPlayChips() or depositRealMoney() respectively.
The ___NextHand() inputted actions are seen in the allQueues() method until they are automatically called.
Change Log
3/9/2006 3:00PM – Created
3/10/2006 11:00PM - (loginUser() method information in Common Interfaces section)