We were performing some shared notebook testing recently and someone noticed that an outline in one of our notebooks had changed. She first thought that some garbage text had been inserted instead of a typical user name for the text of who last modified the outline. You can see who changed an outline by right clicking the outline – the bottom item in the menu will have the user name of the person who last changed this particular item in OneNote shown. To be really complete, you can change what is displayed as your user name in Tools | Options | Display.
We had our shared notebook up on a projector. This tester had right clicked an outline to see who had changed what she had written (me) and she saw something similar to this:
I had changed my name to “;DROP TABLE *”. To most people, until someone admits to using such an unusual name, this looks like either garbage or a bug. For those that have worked with SQL, this is a pretty powerful command to see bandied about. In a SQL database, this command would delete data – a lot of data – if it was executed by a user who had rights to delete that data. It’s seen in “SQL injection” attacks quite frequently, and is not something anyone expects to see on a OneNote page. I had decided to change my user name to see if I could stumble across this type of security bug in OneNote. Fortunately, OneNote’s username functionality knows enough not to run SQL commands and no data got deleted. I did not expect this to find any bugs whatsoever – I changed my name mostly “just to see what would happen,” and to remind myself to keep security testing in mind.
I’ve also changed my name in the past to be “<script>alert()</script>” when working with applications that understand HTML. If an app is not careful, this little bit of script will run an open a blank alert box. The purpose of the alert box is to let me know the script had been executed. If the script had run, I would need to find out if it was expected to run (if the application is trying to render a web page from a secure location and the browser allows script to run, for instance, the alert should open). But if the application is merely copying HTML around, such as a file copy command, or cut and paste of text, the script should NOT run. If I get that alert, I found a bug.
Again, I don’t expect these simple little tricks to find any security bugs, and tricks like this are not security testing. They only serve to keep me in aware of security testing on a daily basis.
Questions, comments, concerns and criticisms always welcome,