Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

Episode 27 - "How to DoS an Airplane"

I fly all the time, so seeing someone send this in bugs me, although now I'm tempted to figure out WHO this company is...


Someone sent this in to me "anonymously" and probably with pretty good reason - this is a pretty silly and potentially devastating vulnerability in a web app.  The scary thing is that vulnerabilities like this exist all around in these AJAX-type applications ... I wonder if there are more of these?


------


Testing a web application is always interesting.  Sometimes you find subtle defects that may not ever be found by automated testing methods and it's those defects that can effectively stop business.  Take this example ... DoS'ing an entire plane.  I'm speaking about the ability to cause an entire plane to fly without passengers but appear full.


I found one such defect in a heavily client-loaded application a few months ago while testing.  The process of testing the application involved testing the reservation system for the airline industry.  Its interesting that the process of reviewing a functional specification was mentioned in your talk because that's exactly what I was doing.  After the scanners and penetration testers were done with the app I took one more look at the application since there was a half-day left in the testing cycle and everything else was done.


Browsing the application and reading through the functional spec I found a piece of functionality that interested me.  In the process of reserving a flight the application would fire off a request in the background to the server to reserve my seat while I paid for it.  The seat was held (according to the system policy) for 10 minutes while I had a chance to pay for the flight.  What I found is that I could easily replicate the AJAX request (sort of like CSRF'ing the application) for a seat hold several times ... over and over until I received an error that the flight was full.  Of course, since this was a test application the back-end was acting as it would in production and since I knew no one else was reserving seats on this "demo" flight I knew I was onto something.  If I could simply send a stream of continuous requests against an arbitrary flight - I could effectively take up the whole plane for 10 minutes at a time without actually buying a seat.


Could I keep a flight "ghostly full" for real?  I tested the system after I asked the administrators to re-set the flight to empty ...and sure enough it filled up again when my script ran.  I told the developers and manager of the project.  When they asked me if it was a security bug I explained it was a business logic bug that could cost the company a lot of money and possibly empty planes being scheduled.


They fixed the bug after I demonstrated it to them ... good thing I had that extra half-day of testing huh?


------


Excellent find, "anonymous" ... the fact that this is something that would have gone live without your intervention is scary.  Maybe we should start randomly checking the airline industry reservation systems?  (Note: I don't condone this in any capacity!  Test your own systems first...)


Great find ...Whoops!  I DoS'd a plane!

Labels: 30_in_30| OOPS
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...
Featured


Follow Us
Guidelines
Follow the White Rabbit on Twitter! Home
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.