Wednesday, August 19, 2009

Fun with Http Headers in ASP.NET MVC Action Filters - Kazi Manzur Rashid's Blog

Do you want your ASP.NET MVC application to auto redirect to a specific url after a certain interval, yes you can use javascript window.location, what about without javascript? Check this codes:
view source
01.[AutoRefresh(ControllerName = "Home", ActionName = "About", DurationInSeconds = 10)]
02.public ActionResult Index1()
04.[AutoRefresh(ActionName = "About", DurationInSeconds = 15)]
05.public ActionResult Index2()
07.[AutoRefresh(RouteName = "ByFavoriteRoute", DurationInSeconds = 30)]
08.public ActionResult Index3()
10.[AutoRefresh(DurationInSeconds = 45)]
11.public ActionResult Index4()

If the browsers is idle for the specified period, it will automatically redirect to that Action. if you do not specify any action/controller/route (Index4) it will auto refresh the current url. How? Well I am just using/abusing some http header, check it out:
view source
01.[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
02.[AspNetHostingPermission(SecurityAction.Demand, Level = AspNetHostingPermissionLevel.Minimal)]
03.public class AutoRefreshAttribute : ActionFilterAttribute
05. public const int DefaultDurationInSeconds = 300; // 5 Minutes
07. public AutoRefreshAttribute()
08. {
09. DurationInSeconds = DefaultDurationInSeconds;
10. }
12. public int DurationInSeconds
13. {
14. get;
15. set;
16. }
18. public string RouteName
19. {
20. get;
21. set;
22. }
24. public string ControllerName
25. {
26. get;
27. set;
28. }
30. public string ActionName
31. {
32. get;
33. set;
34. }
36. public override void OnResultExecuted(ResultExecutedContext filterContext)
37. {
38. string url = BuildUrl(filterContext);
39. string headerValue = string.Concat(DurationInSeconds, ";Url=", url);
41. filterContext.HttpContext.Response.AppendHeader("Refresh", headerValue);
43. base.OnResultExecuted(filterContext);
44. }
46. private string BuildUrl(ControllerContext filterContext)
47. {
48. UrlHelper urlHelper = new UrlHelper(filterContext.RequestContext);
49. string url;
51. if (!string.IsNullOrEmpty(RouteName))
52. {
53. url = urlHelper.RouteUrl(RouteName);
54. }
55. else if (!string.IsNullOrEmpty(ControllerName) && !string.IsNullOrEmpty(ActionName))
56. {
57. url = urlHelper.Action(ActionName, ControllerName);
58. }
59. else if (!string.IsNullOrEmpty(ActionName))
60. {
61. url = urlHelper.Action(ActionName);
62. }
63. else
64. {
65. url = filterContext.HttpContext.Request.RawUrl;
66. }
68. return url;
69. }

Can’t think any proper usage of this action filter, may be you can use it for any iframe kind of page where you want to show some live statistics. Okay now let’s try one more time to abuse this Refresh header, this time it is a very common scenario.

You want your secured (marked as Authorized) actions to automatically redirect to login page when the session expires. Now try this:
view source
01.[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
02.[AspNetHostingPermission(SecurityAction.Demand, Level = AspNetHostingPermissionLevel.Minimal)]
03.public class AutoRedirectToLogin : ActionFilterAttribute
05. public override void OnResultExecuted(ResultExecutedContext filterContext)
06. {
07. string url = FormsAuthentication.LoginUrl;
08. int durationInSeconds = ((filterContext.HttpContext.Session.Timeout * 60) + 10); // Extra 10 seconds
10. string headerValue = string.Concat(durationInSeconds, ";Url=", url);
12. filterContext.HttpContext.Response.AppendHeader("Refresh", headerValue);
14. base.OnResultExecuted(filterContext);
15. }

When the session expires it will automatically redirect to the login page without requiring the extra click from the user.

Word of Caution: Do not use the Refresh meta header if you want your url to include in the search engine index (verified in Google, not sure about the others). For example, your Page A wants to auto redirect to Page B, the Page A only has this header, in that case Page A will not be indexed.

Saturday, August 1, 2009

Black Hat 2009: Parking meter hacking - Hack a Day

For day two of Black Hat, we sat in on on [Joe Grand], [Jacob Appelbaum], and [Chris Tarnovsky]’s study of the electronic parking meter industry. They decided to study parking meters because they are available everywhere, but rarely considered from a security perspective.

They focused on the San Francisco’s MTA implementation of electronic smart card meters. To start they purchased several meters on eBay just to see the different styles. SF MTA lets you purchase disposable payment cards with values of $20 or $50. They decided to sniff the interaction between the meter and the smartcard using a shim. With that first capture they were able to easily replay the transaction. This didn’t require a smartcard reader, just an oscilloscope. They then took the attack a little further.

[Joe] built a smartcard emulator using a PIC16F648A. They used it to capture multiple transactions and then decoded the interactions by hand. Luckily, the card was using the IEC 7816 standard so they had some insight into the protocol. They found that the card has a stored maximum value and only writes how many times the value has been decremented. As a proof of concept, they change the maximum value, which you can see on the meter above. They could also have just changed the acknowledgement so that the card never writes any deductions.

The PIC16F648A was a good choice because it’s available in a smart card format called a ‘silver card‘. You can find the emulator code and slides from the talk on [Joe]’s site about the project.