Mess with the best, die like the rest… 

Facebook

Malaysia Election 2008

As Election just around the corner, suddenly I feel need to check my status. So i jump into here and keyin my details. Luckily, system generating this:-

Malaysia Election 2008

MEDAN KETERANGAN
Kad Pengenalan : xxxxxxxxxxxx
Nama : KHAIRUL EFEEZA BIN ISMAIL
Tarikh Lahir : xx xxx xxxx
Jantina : LELAKI
Lokaliti : 131 / 25 / 03 / 002 – TTJ TMN TUANKU JAAFAR
Daerah Mengundi : 131 / 25 / 03 – TAMAN TUANKU JAAFAR
DUN : 131 / 25 – PAROI
Parlimen : 131 – REMBAU
Negeri : NEGERI SEMBILAN
Status Rekod : DATA INI UNTUK SEMAKAN DAFTAR PEMILIH

At last!! I could select who should I pick.. hmm suddenly I would like to see how lousy their programmer is. It doesn’t take me long as I’ve found HUGE FLAW on their website. As this being used as cross reference Malaysia wide, it’s good to have this application SECURE!!

As I’m getting money by telling people how bad is their website, so here some documentation (can’t reveal all due to security reason!)

1) Form validation – do not use JAVASCRIPT!!
This the main error many web developer neglect.

function submitted(){ stripSpaces(); function stripSpaces() { var x = document.def.txtIC.value; document.def.txtIC.value = (x.replace(/^\W+/,\’\')).replace(/\W+$/,\’\'); }

if (document.def.txtIC.value == “”) { alert(“Sila masukkan No. kad pengenalan anda”);} else {

document.def.txtSub.value=”Submitted”; document.def.submit(); document.def.CETAK.enabled();} }

function count(CntValue){ document.def.txtSerial.value=CntValue ; }

Obviously revealing parameter involve. Instead, they should create inner ASP form evaluate to avoid people seeing what paramater involve. From here one with minimum web skills know already where to tweak.

2) No input inner ASP validation
As they are putting obvious Javascript validation, we could test well known SQL penetration test. I won’t reveal process here unless they have fix this “unskilled”error. To conclude, here the output.

Microsoft OLE DB Provider for SQL Server error ’80040e14′
Incorrect syntax near the keyword ‘******’.
/daftar.asp, line 60

From here we could test SQL penetration.

TO CONCLUDE: THIS WEBSITE IS NOT SECURE AT ALL!! PLEASE REDO YOUR WORK LAZY WEBMASTER!!

 

4 Responses

  1. aku pun jumpa masalah mcm ko ni
    tapi aku pakai ie tab utk firefox
    sebab spr syor

    PERHATIAN!! SILA GUNA PERISIAN INTERNET EXPLORER (IE) JIKA INGIN MELAKUKAN PROSES SEMAKAN DAFTAR PEMILIH.

    tapi kalau aku pakai firefox dan juga ie
    takde masalah

    tak sangka pulak google dapat cari
    document.def.CETAK.enabled();

    pulak tu jumpa satu aje iaitu blog ko

  2. Amin,
    For your info, it’s not problem. It’s a security flaw in SPR website system. I could start do SQL INJECTION (see http://www.krazl.com/blog/?p=4 and http://www.krazl.com/blog/?p=3). I will not reveal process ‘how-to’ but many white and black hacker will agree this is flaw.

    It seems you have interest in IT security. Please do share your knowledge with me. Thanks

    krazl

  3. terima kasih atas respon anda
    saya ingat mungkin ada masalah tentang javascrip ker
    tapi pasal SQL INJECTION tu yg saya tak beberapa faham

    saya cuba try buat atas sistem saya
    tapi tak lepas pun
    dia ada kaitan dgn php atau mysql
    atau logik kod php?

You must be logged in , to post a comment.

Home 2008 Malaysia Election 2008
credit