Hacktivism in the Land Without a Server
by \/indic8tr
A little while back, I stumbled upon a link to the forums of the Korean Friendship Association (www.korea-dpr.com/cgi-bin/simpleforum.cgi).
Naturally, I thought they needed to hear my opinion on the plight of the people of North Korea.
Unfortunately, there is no obvious way of registering for a forum membership without joining their club, nor could I discover any less obvious means to gain access.
Not being content to walk away in total defeat, I decided to examine other parts of the site.
After a little research, I discovered that this domain in fact houses the official website of the Democratic People's Republic of Korea (DPRK). A WHOIS search for the korea-dpr.com domain shows that the server is located in, of all places, Spain.
This seems counterintuitive at first glance. However this makes perfect sense for a country where information is so tightly controlled that it is a capital crime to own a radio that is not hardwired to receive only the single government-approved station.
That the DPRK cannot permit their own government's public website, their equivalent to whitehouse.gov, to be located on a server within its own borders flows naturally from this mindset.
Clearly, North Korea isn't a place that is easily targeted by those who would seek to use online activism to further the free flow of knowledge. This is frustrating, because hacktivism is one of the few nonviolent routes we have to bring the fight to those who would stifle learning and creativity both at home and abroad.
While we can't pick on Dear Leader directly, someone could hypothetically stick it to his fan club. Using techniques similar to the Having Fun with Cookies article in 23:2, a malicious user can use inline JavaScript in a browser's address bar to get free stuff courtesy of the Korean Friendship Association.
This will require the attacker to set up a throwaway PayPal account or a one-time use credit card. They would also need a little knowledge of Spanish. Don't worry, a hypothetical attacker wouldn't have to spend any real money for this to work.
The KFA online store is located at www.korea-dpr.com/catalog2/index.php.
Our hypothetical angry activist first should choose something to buy, preferably something expensive. Then he or she would select the "Buy Now!" option, then go on to the checkout.
There, the attacker would fill out the information form. If they want to actually receive the stuff and not get busted, they would probably want to use a P.O. box that can't be traced back to them, since most developed countries are still on reasonably good terms with Spain, if not the DPRK.
Note that even if one selects payment in U.S. dollars, they will still be billed in euros. Hit continue twice to use the same P.O. box you submitted earlier for your shipping and billing addresses.
The hack is executed on the Order Confirmation form, and it is a simple one.
The website uses a POST to send the price info to PayPal in the form of a JavaScript variable. The price of the fist item is stored in the variable: document.forms[2].amount_1
If you purchased other items, they'll be stored in amount_2, amount_3, and so on.
Go to the address bar and enter the following:
The alert box isn't strictly necessary, but it is nice to know that the variable was successfully changed.
If you bought more than one item, go through and repeat for amount_2, amount_3, and so forth as needed.
All that remains is to confirm your order in the Spanish language form (WTF?) and presto, free North Korean stuff.
Maybe such a kick in the pocket book would help the membership of the KFA to see the irony of running an e-commerce website on behalf of a regime that would shoot its own citizens for using a computer or, up until recently, buying things.