Following the White Rabbit - A Practical Security Blog
Welcome! Let's follow the White Rabbit down the Web Application Security rabbit-hole... This blog is less about awesome h@><0ring and more about practical, real-world web app security measure and counter-measures. If you're looking for a blog to relate to your day-job - this may just be it. As long as you're here, bookmark (Ctrl + D) it, drop it in your reader and leave a comment!

Episode 29 - "Grade A+ Broken"

These days, schools run tons of web applications both internally, and externally.  Every once in a while you pick up the paper, or read the trade magazines, or look at Twitter and see that some kid is getting blamed for hacking a web app and changing their grade, or some other thing.  After reading this last email I started to wonder about some of you readers ... seriously.  I really hope this reader did the right thing and told someone (I recommend anonymously, as the consequences of a misunderstanding could be expulsion or prosecution!) about this bug ... because after I write it up here you're all going to run out and try it in your school.  Here it is ...(edited for political correctness and anonymity - face it if I told you too much info about this app you'd be hacking in minutes).


I go to school.  A few months ago they put in a new system for the teachers to use.  It's called and is just a bunch of Flash stuff in a big mashed-up page.  The teachers and students all log onto the same page and then either click on the "Student Access" or "Teacher Access" apps.  My friends and I were sitting in the lab and no one was around so we started playing with the teacher app.  I saw the talk on "hacking flash apps" you did and downloaded some Flash decompile tools to see what we could find.

---- I feel I need to chime in here and say that I don't, and never have, condoned use of any of the tools or techniques I've described for evil purposes...

(we continue...) The Flash app didn't have any super-obvious vulns but I did find a call to an XML file, on a file-server  that was hard-coded into the app.  The XML file was on one of those " $ shares " since it was Windows, and I looked at the file.  The XML file must be a config file or something because it had a bunch of other network shares.  Looking at those network shares - I found the pot at the end of the rainbow.  The stuff in there were files named like "homework_Bio430_091209.xls".  You can probably guess that these files had the answers to all the homework.

The web app told me where to find all the network shares (hidden network shares, like \\mtlfs0010\BIO430$) in some place where no one would have looked before, and it's all thanks to the app in Flash!


YIKES... Kids these days huh?  I really hope this person did the right thing and reported the bug anonymously so the administration could have the dev company fix the product, change permissions on the shares - anything - to keep the semester from being "too easy".


Labels: 30_in_30| OOPS
Showing results for 
Search instead for 
Do you mean 
About the Author
Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging t...

Follow Us
Follow the White Rabbit on Twitter! Home
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.