Successfully tested in Hilton Honors Hotel Wifi. Yes, I know, I know... wifi should be free for everyone. All a decent geek wants to do on a vacation is information where he can spend his money... food, entertainment and shopping. Internet information is crucial to get this information. Yes, I know what you are thinking... use the office mifi? or broadband mobile connection... oh yeah? not business related? So here's how, it's simpler than you think... a total no brainer and totally the fault of the designer of the website.... there is absolutely no security. Believe me, I've tested this and it works.
tools needed: Firefox with Firebug add-on.
1. fire up firefox, and the hotel website shows up. it'll have a choice of connection length and cost for each.
2. for initial testing purposes, pick the cheapest choice ($2.95 for an hour).
3. choose "bill-to-room"
4. for the last name and room, type in a bogus last name (ex. BUNNYBEAR). - do not use your real last name on this round. The purpose of this is to stop the process midway so we can inject our changes.
5. for the room number, enter your real room number.
6. press connect, and a page will show up with the summary of your bill - $2.95 for 1 hour, but an error will show saying that the last name does not match with the room number.
7. activate FireBug, and navigate to the HTML tab. (note: activate on a new window)
8. search for "2.95", Firebug search should find it by the "value=2.95" code. change the calue to "0.00".
9. go back to the web page. at this point it should still say $2.95 on the cost. there should be 2 buttons at the bottom of the web page, "BACK" and "CONNECT", click - CONNECT.
10. once again it will try to connect but since the last name is still wrong, it will go back to the error page. But now check the total amount, it is now "Complimentary".
11. now change the last name to the correct last name registered to the room number...click connect, and welcome to the jungle!
NOTES: I have not tried this on the higher priced options, but I figure the logic is the same and it should work as well. Now why did this work, just like what I have preached before... sequence of events.
1. Initial page with options, created and choices packaged into the next page. The initial page usually have coupons and complimentary code options on it.
2. The 2nd page bundles the options for evaluation and confirmation to the connection page.
3. We modified the 2nd page to change the cost and but made sure that half the info fails validation (wrong last name). This regenerates the 2nd page to now have a complimentary cost on a legitimate page.
4. after we correct the last name, all the info on the page is now accurate and should pass the confirmation. in essence the web site itself re-packaged the whole page to go through properly. game over.pwned. trip ninja. 3l33t.
The intent of this blog entry is to pentest and see if this bug is still out there, and it is. this is not for financial gain or stealing, I am not a black hat. it's just amazing that until now they still have this bug. this hole in shopping carts have been discussed at least 10 years ago, just incredible.
