Original article taken from http://tny.cz/ef11db01
------------------------------------------------
SANRAL E-TOLL WEBSITE VULNERABILITY
------------------------------------------------
By Moe1
------------------------------------------------
SECURITY ADVISORY
------------------------
DOCUMENT ID: v1.0
--------------------------
RISK LEVEL : CRITICAL
--------------------------
DISCLAIMER
--------------
The information provided in this document is for educational purposes only. The author is in no way responsible for any misuse of the information. The author insists that such information should never be used for malicious purposes.
INTRODUCTION
------------------
The SANRAL e-Tolls website allows users to register their e-tags online and provides a service where by customers can monitor, pay and track their e-toll accounts. The website contains sensitive customer information such as ID numbers, car number plates, postal addresses, payment methods etc. therefore it is crucial that SANRAL ensure it is secured and user data is protected. The purpose of this report is to display the false sense of security the website portrays by highlighting a simple vulnerability which exist due to a lack of basic web application security logic.
OVERVIEW
------------
When a user registers on the website for the first time the account is put into a “pre-registration” state. The account will remain in a “pre-registration” state until the user confirms the account by clicking on a link provided in a confirmation email. This “pre-registration” confirmation link contains a serious security problem where by it provides the users pin number on the confirmation screen. Using this link an attacker can inject another username into it which would result in the confirmation page containing the pin number of another user.
VULNERABILITY DEMO – HACK AN E-TOLL ACCOUNT IN 5 SECONDS
----------------------------------------------------------------------------
1. Browse to the SANRAL e-toll login page. https://www.sanral.co.za/e-toll/portal/default.aspx
2. Okay so you have the USERNAME and the VERIFICATION CODE that is provided. To get the users PIN all you need to do is browse to the “pre-registration” confirmation link and specify the USERNAME.
http://www.sanral.co.za/e-toll/portal/PreRegisterAccountValidate.aspx?UserName=jasonbourne
(Notice the pin of that users account is provided! To view it in clear-text simply view the pages source)
3. Now that you have the pin go back to the login screen, enter username, pin and verification code provided.
4. And there you have it an e-toll account hacked in 5 seconds!
PROOF OF CONCEPT EXPLOIT
---------------------------------
http://tinyurl.com/melw4nw
VIDEO DEMO
---------------
http://www.youtube.com/watch?v=cacn2vRWzF8
CONCLUSION
---------------
It is great that SANRAL informs you to keep your pin safe in their “Terms and conditions” but it’s not very great that they give out your pin to anyone that basically requests for it.
-EOF-
------------------------------------------------
SANRAL E-TOLL WEBSITE VULNERABILITY
------------------------------------------------
By Moe1
------------------------------------------------
SECURITY ADVISORY
------------------------
DOCUMENT ID: v1.0
--------------------------
RISK LEVEL : CRITICAL
--------------------------
DISCLAIMER
--------------
The information provided in this document is for educational purposes only. The author is in no way responsible for any misuse of the information. The author insists that such information should never be used for malicious purposes.
INTRODUCTION
------------------
The SANRAL e-Tolls website allows users to register their e-tags online and provides a service where by customers can monitor, pay and track their e-toll accounts. The website contains sensitive customer information such as ID numbers, car number plates, postal addresses, payment methods etc. therefore it is crucial that SANRAL ensure it is secured and user data is protected. The purpose of this report is to display the false sense of security the website portrays by highlighting a simple vulnerability which exist due to a lack of basic web application security logic.
OVERVIEW
------------
When a user registers on the website for the first time the account is put into a “pre-registration” state. The account will remain in a “pre-registration” state until the user confirms the account by clicking on a link provided in a confirmation email. This “pre-registration” confirmation link contains a serious security problem where by it provides the users pin number on the confirmation screen. Using this link an attacker can inject another username into it which would result in the confirmation page containing the pin number of another user.
VULNERABILITY DEMO – HACK AN E-TOLL ACCOUNT IN 5 SECONDS
----------------------------------------------------------------------------
1. Browse to the SANRAL e-toll login page. https://www.sanral.co.za/e-toll/portal/default.aspx
2. Okay so you have the USERNAME and the VERIFICATION CODE that is provided. To get the users PIN all you need to do is browse to the “pre-registration” confirmation link and specify the USERNAME.
http://www.sanral.co.za/e-toll/portal/PreRegisterAccountValidate.aspx?UserName=jasonbourne
(Notice the pin of that users account is provided! To view it in clear-text simply view the pages source)
3. Now that you have the pin go back to the login screen, enter username, pin and verification code provided.
4. And there you have it an e-toll account hacked in 5 seconds!
PROOF OF CONCEPT EXPLOIT
---------------------------------
http://tinyurl.com/melw4nw
VIDEO DEMO
---------------
http://www.youtube.com/watch?v=cacn2vRWzF8
CONCLUSION
---------------
It is great that SANRAL informs you to keep your pin safe in their “Terms and conditions” but it’s not very great that they give out your pin to anyone that basically requests for it.
-EOF-
I'm not getting my IP anywhere near SANRAL 
