Exploiting Insecure Cookie Handling in Proxyroll.com Clone PHP Script

What this paper is

This paper details a vulnerability found in a specific PHP script designed to clone the functionality of Proxyroll.com. The vulnerability lies in how the script handles user cookies, specifically related to payment processing. The author, DigitALL, demonstrates how an attacker can manipulate cookie values to alter transaction amounts, effectively defrauding the system.

Simple technical breakdown

The core issue is that the script doesn't properly validate or secure the currency_code cookie. When a user interacts with the payment process (specifically, clicking a PayPal button on advertise.php), the script relies on this cookie to determine the currency for the transaction. By intercepting and modifying this cookie using a tool like Firefox's Tamper Data, an attacker can change the displayed and processed currency, inflating the perceived value.

For example, if the legitimate price is $1, an attacker could change the currency_code to something that the script interprets as a much higher value, like "99".

Complete code and payload walkthrough

The provided "code" is not traditional executable code but rather a description of an attack vector using a web proxy tool.

• This Site Go To /advertise.php and Paypal Buton Click: This describes the initial user action. The target is the advertise.php page, and the vulnerability is triggered when the user clicks a PayPal button, initiating a transaction.
• and Firefox Tamper Data Open then: This indicates the tool used to intercept and modify HTTP requests. Tamper Data is a Firefox extension that allows users to view and alter requests and responses.
• a3 = Value: This is a placeholder representing a variable or parameter within the HTTP request or cookie that holds a value. The paper doesn't explicitly state what a3 is, but it's implied to be related to the transaction amount or a multiplier.
• currency_code = USD or STERLİN or LİRA: This shows the legitimate values that the currency_code cookie might hold. These are standard currency codes.
• Your 1 $ ==== They 99 $ good jobs :): This is the core of the exploit's outcome. It illustrates that by manipulating the currency_code (or a related parameter like a3), an attacker can change a $1 transaction into what appears to be a $99 transaction from the perspective of the script's processing logic. The exact mechanism of how currency_code translates to a multiplier of 99 is not detailed, but it's implied that the script incorrectly uses this value in its calculations.

Mapping list:

• advertise.php -> Target page where the exploit is initiated.
• Paypal Buton Click -> User action that triggers the vulnerable process.
• Firefox Tamper Data -> Tool used for intercepting and modifying HTTP traffic.
• a3 = Value -> Unknown parameter, likely related to transaction value or multiplier.
• currency_code = USD or STERLİN or LİRA -> Legitimate cookie values representing currency.
• Your 1 $ ==== They 99 $ -> The outcome of the exploit: inflating transaction value.

There is no shellcode or executable payload provided in the original source. The exploit relies entirely on manipulating HTTP cookies via a proxy tool.

Practical details for offensive operations teams

• Required Access Level: Low. This exploit targets a web application and can be initiated by any user who can interact with the advertise.php page and its payment functionality. No elevated privileges on the server are required.
• Lab Preconditions:
  • A running instance of the vulnerable Proxyroll.com clone PHP script.
  • A web browser (e.g., Firefox) with the Tamper Data extension installed.
  • A method to interact with the advertise.php page and initiate a payment.
• Tooling Assumptions:
  • Web Proxy Tool: Tamper Data (or similar tools like Burp Suite, OWASP ZAP) is essential for intercepting and modifying HTTP requests.
  • Browser: A browser capable of running the proxy tool.
• Execution Pitfalls:
  • Incorrect Parameter Identification: The paper is vague about the exact parameter (a3 or currency_code) and its precise role. Identifying the correct cookie or POST parameter to modify is crucial. This might require detailed analysis of the HTTP traffic during the payment process.
  • Server-Side Validation: If the server-side script performs robust validation on the currency code or the resulting transaction amount after the cookie manipulation, the exploit might fail. For instance, if the actual payment gateway has its own currency validation, the manipulated value might be rejected.
  • Dynamic Pricing/Currency: If the script uses dynamic pricing or currency conversion that is not solely dependent on the currency_code cookie, this specific exploit might not work as described.
  • Logging and Monitoring: The attacker's actions (manipulating cookies) might be logged by the web server or application, leading to detection.
• Expected Telemetry:
  • Unusual HTTP requests originating from the attacker's IP address, specifically targeting advertise.php and its associated payment processing endpoints.
  • Modified Cookie headers in HTTP requests, containing altered currency_code or related parameters.
  • Potentially, failed payment transactions if server-side validation catches the manipulation.
  • Logs on the web server indicating requests with unusual cookie values.

Where this was used and when

• Context: This vulnerability was described in the context of a "Proxyroll.com Clone PHP Script." This implies it was likely found in custom-built or pirated versions of the Proxyroll.com website, rather than the official site itself.
• Timeframe: The paper was published on January 2, 2010. Therefore, this exploit was relevant around 2010. It targets older PHP web application development practices.

Defensive lessons for modern teams

• Never Trust Client-Side Data: Any data sent from the client (browser) that affects critical operations like pricing, authentication, or authorization must be strictly validated on the server. Cookies, form parameters, and URL parameters are all untrusted.
• Robust Input Validation: Implement comprehensive validation for all input, especially values that influence financial transactions. This includes checking for expected formats, ranges, and logical consistency.
• Secure Session Management: While this exploit focuses on cookies for transaction data, general secure session management practices (e.g., using secure, HttpOnly cookies, regenerating session IDs) are crucial.
• Use Established Payment Gateways Securely: If integrating with payment gateways, ensure that the gateway itself handles the final currency and amount validation. Do not rely on client-side or application-level manipulation of these values.
• Regular Security Audits: Conduct regular code reviews and penetration tests, especially for custom-built web applications, to identify vulnerabilities like insecure handling of sensitive data.

ASCII visual (if applicable)

This exploit is primarily about manipulating HTTP traffic. An ASCII visual can represent the interception process.

+-----------------+      +-----------------+      +-----------------+
| Attacker's      |----->| Web Proxy Tool  |----->| Target Server   |
| Browser         |      | (Tamper Data)   |      | (advertise.php) |
| (Manipulates    |      | (Intercepts &   |      | (Vulnerable     |
| Cookie)         |      | Modifies Req)   |      | Script)         |
+-----------------+      +-----------------+      +-----------------+
        ^                                                  |
        |                                                  |
        +--------------------------------------------------+
                  (HTTP Request with altered cookie)

Source references

• Exploit Title: Proxyroll.com Clone PHP Script - Insecure Cookie Handling
• Author: DigitALL
• Published: 2010-01-02
• Paper URL: https://www.exploit-db.com/papers/10912
• Raw URL: https://www.exploit-db.com/raw/10912

Original Exploit-DB Content (Verbatim)

# Exploit Title: Proxyroll.com Clone PHP Script Cookie Handling And Tamper Data

# Date: 02.01.2010

# Author: DigitALL

# Thanks: Zombie KroNicKq NoFear and All 1923Turk.biz Members

# Version: 1.0

# Code : This Site Go To /advertise.php and Paypal Buton Click and Firefox Tamper Data Open then

a3 = Value

currency_code = USD or STERLİN or LİRA

Your 1 $  ==== They 99 $  good jobs :)