Wednesday, September 22nd, 2010

Put me in Coach!

*** UPDATE ***
Rex Grossman is out for the season.  ESPN has fixed the issues I discussed below.  However, before you give up on your fantasy football season, apparently there is a stored XSS that I missed.  This guy will have details posted soon –>  http://lanmaster53.com/?p=182 .  The fun never stops :)
*** UPDATE ***

First, some background.  I love American football.  My team is the Chicago Bears.   I’ve been a Bears fan since the 80′s when Walter Payton, Mike Singletary, and Jim McMahon dominated the field.  The last few years as a Bears fan has been difficult, but I’ve hung in there.  A few years ago the Bears had a quarterback named Rex Grossman.  To put it lightly, he wasn’t the greatest QB a team could have, in fact the Bears have traded him away.  I never really liked him.

Earlier this month, I was invited to play in a fantasy football league.  I’ve never played fantasy football, but I understood the rules and had many friends who played.  My friends (none of which work with computers for a living) needed one more player to round out a league of 10 teams so I decided to give it a shot.  Before the “season” begins, each player selects the football players they think will be the most successful during the season.  As my best player, I selected a running back named Ryan Grant who runs for the Green Bay Packers.  I was shocked to see my star player injured in the first game of the season with a season ending injury.  As I navigated the fantasy football website to find a replacement player, I came across several interesting issues.  There are some issues that allow me to cheat and win (dropping arbitrary players from another teams roster, modifying another teams starting lineup), but I want to win fair and square (I guess that Midshipman honor code has stuck with me)… but as a notorious prankster I figured I could have a little fun with the bugs I discovered.

When a team decides to add a new player to their roster the player navigates through several menus and selection screens.  The final confirmation URL for adding a player to the bench looks something like this:

leagueId=111111&incoming=1&trans=2_4480_-1_1002_3_20

The leagueId represents the “league” in which our teams are playing.  The trans parameter represents the actual transaction.  Looking at the trans parameter, I’ve broken the various pieces into the following:

2 <– this is the type of transaction to be executed

4480 <– This is the unique player ID for Rex Grossman

-1 <– some sort of increment value/ counter?

1002 <– another value that describes the transaction

3 <– team id for my team

20 <– not sure what this number is

Unfortunately for the other players in my league, the fantasy football application does a poor job of authorization checking.  These poor checks allow me to manipulate the trans parameter to add an arbitrary player to any teams roster.   I decided to add Rex Grossman to one of my rivals bench (not the starting lineup).

Soon after adding Rex to my rival’s bench, I spoofed an email from Rex Grossman with a plea to play.

A few days later, my rival was posting to the entire league that Rex Grossman had magically added himself to his roster and had emailed him to play.  My rival then dropped him from the roster before the next weeks play.

Unfortunately for my rival, Rex is a persistent player.  This week I traded him from waivers for another player on my rivals team.  Trading from waivers/free agency is a bit more complicated and the query string is a bit more complicated, but the overall gist is the same (I also had to fake the waiver transaction ID).

trans=3_2753_1_20_-1_1002|2_4480_-1_1002_1_20

The numbers before the “|” character belong to the player who is to be dropped from the roster (the bench) to waivers while the numbers after the pipe character represent the player to be added to the roster (to the bench, not the starting lineup).  In this example, I’ve dropped T.J. Houshmandzadeh off of my rival’s bench roster and added Rex Grossman back to the bench.

Of course, another spoofed email goes out to explain the situation.

We’ll see what next week brings.  I’ve contacted the fantasy football game provider (probably the largest provider in the US), hopefully they’ll fix it soon…

Posted by xssniper | Filed in Blogroll, Web Application Security

  • Jon

    You should remove the instructions on how to accomplish this.

  • http://nopsled.wordpress.com Nopsled

    That’s both hilarious and slightly embarrassing as far as security goes. Even though the application wasn’t exactly filled with sensitive information, it’s still disappointing to see flaws like this in modern applications.

  • http://NONE Ryan

    I’ve been trying to get this to work but everytime it brings me to a confirmation screen and then if I click confirm to add/drop another teams player it says invalid transaction

  • xssniper

    You’re going to have to forge the transaction ID. If you replay the params I provided, you’ll get an error and the transaction ID was for my specific trade.

  • http://www.praetorianprefect.com Prefect

    Doesn’t seem to work anymore, problem fixed?

  • billy

    could u go a lil more in detail on how 2 do this?

  • Joseph
  • Pingback: LaNMaSteR53.blog » Blog Archive » ESPN Fantasy Football – What Billy Rios Missed

  • http://nopsled.wordpress.com Andrew Brooks

    “Wow. I was going through the proper disclosure process on this with ESPN.”

    Yea! Fantasy Football vulnerabilities are serious business!

  • Khash_Ha.Ckers

    not fully fixed. i’m about to make a trade using an XSS vuln!

  • Khash_Ha.Ckers

    Run any ESPN transaction via a proxy, such as burp, and you’ll find some interesting stuff. Check out the headers and request parameters.

  • Pingback: Your Fantasy Football Player May Not Care About You - NYTimes.com

  • Pingback: Fantasy Sports Business » Blog Archive » ESPN Security Issue Provides Fantasy Lesson

  • A Scheuer

    Rex Grossman is starting this week for the Redskins! I hope your friend starts him… lol