First off let me say that writing this post was a very difficult decision for me to make, as I normally try to work with vendors, companies, and organizations to fix issues like this one I am about to disclose without ever really disclosing them to the public, but in this case it just never worked out.  I have tried for the last 18 months to contact just about everyone I could think of at Brainbench to disclose this issue to them, but none of my emails were ever returned.  I utilized their bug reporting “Contact Us” form several times over this time period, but still no one even acknowledged the receipt of my emails or submissions.  I even tried emailing common email addresses such as these: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected] to name a few, but again no response, well unless you count a few bounced emails for accounts that do not exist.  I have sent them a copy of “Full Disclosure Policy (RFPolicy) v2.0” a few times telling them they had 5 days to contact me before I release this information, but like I said they never return any of my emails.  This to me is just plain ridiculous and irresponsible on their part, as what I am about to provide you all with is information on how their core business objective for providing assessment products is just plain flawed, and cannot be relied on to accurately trust their assessment results.

I have personally been forced to take several of Brainbench’s assessment tests during both the interviewing process and continual certification processes that Brainbench offers for a fee to companies looking to evaluate, assess, and/or validate future and current employee’s skill sets.  Here is a direct quote from Brainbench’s website:

Brainbench, a PreVisor company, has served over 5,000 corporate and 6 million individual customers. The company was founded in January 1998 with the same mission it has today: Delivering easy-to-use assessment products that predict success on the job.

Here are some statistics, again copied directly from their website:

So as you can see they really appear to take pride in their ability to provide corporations and individuals with assessments that can aid in selecting the right candidate for a position or validate a current employee’s skill set.  This is why I could not comprehend their actions or lack of actions when I attempted to contact them in regards to this issue, which defeats their assessment engines validity.  Well I think I have provided enough background details and such, so lets get to the meat and potatoes of the issue at hand.

JavaScript injection is a simple technique that can be utilized to manipulate client side rendering and code, HTML forms, cookies, and/or  just about any parameter on a web page after it has been rendered by the browser.  To perform this type of attack all that is needed is a web browser and the address/location bar built into all web browsers.  To perform this attack all that is done is the clearing of the address/location bar and entering in JavaScript functions and/or code in it’s place.  A sample alert message can be rendered on any page by clearing the address/location bar and adding in this code:

javascript:alert(“Hello World!”);

JavaScript injections conducted in the address/location bar must always be started off with “javascript:”, but several commands and or code segments can be entered into the address/location bar by ending each one with a “;” to terminate each section and/or segment.  A really nice write up on JavaScript injections with some really cool functions can be found here: “How to Use Javascript Injections“.

It is clear that JavaScript executed in the address/location bar isn’t really a bug or security vulnerability by itself, as it can only be seen on the client side, but it can be utilized to perform some interesting things and/or actions such as web form manipulation and parameter modifications.  This is why no one should ever trust inputs from a client and JavaScript validation by itself is just not enough to secure your data.  Server side validation must occur for every single input received from the client to ensure it is valid and safe to process.

Brainbench’s assessment engine relies solely on a JavaScript function to process a test/assessment takers time spent on each question.  This time is normally restricted to 3 minutes or 180 seconds, which sounds like a pretty nifty feature to ensure test/assessment takers are answering questions based off knowledge.  Given more time a test/assessment taker could easily Google the answer or even reference a book for the correct answer, which sort of defeats the purpose of the assessment.  So let us take a little journey into this JavaScript code utilized by Brainbench’s assessment engine, and see if you can’t spot the issue before you get to me just spelling it out for you.  Here is the function in question:

function TimerFunc()
{
if( !doTimer )
return;

tf = window.setTimeout( “TimerFunc();” , 1000 );
tcount++;
timeLeft = 180 – tcount;
minutes = 0;
seconds = 0;

if( timeLeft > 0 )
{
minutes = Math.round( ( timeLeft / 60 ) – 0.5 );
seconds = timeLeft – 60*minutes;
if( minutes > 0 )
{
document.qform.timerbox.value = minutes + ‘ Min. ‘ + seconds + ‘ Sec. Remaining’;
}
else
{
document.qform.timerbox.value = seconds + ” Seconds Remaining”;
}
}
else
document.qform.timerbox.value = “Time Expired”;
// window.status = timeLeft + ” ” + “Seconds Remaining”;
// document.qform.timerbox.value = timeLeft + ” ” + “Seconds Remaining”;

if( timeLeft == 30 )
{
doWarning();
}

if( timeLeft <= 30 )
{
document.qform.timerbox.className = “timertextboxred”;
}

if( timeLeft <= 25 )
{
doWarningOver();
}

if( timeLeft == 0 )
{
window.clearTimeout( tf );
timeUp = 1;
document.qform.nextitem.disabled=true;
document.qform.submit();
}
}

This function is called by another JavaScript function:

function doOnload()
{
if( resetVals )
{
setem();
}

if( doTimer )
{
tf = window.setTimeout( ‘TimerFunc()’ , 1000 );
}
}

This “doOnload()” JavaScript function is called using the HTML event “onload” when the web page is first loaded with this code:

<body topmargin=”15″ leftmargin=”15″ onload=”doOnload(); ” bgcolor=”#ffffff” marginheight=”15″ marginwidth=”15″>

Now is the issue or vulnerability at hand apparent yet?  I can think of a few ways to defeat this code, but I am only going to demonstrate one very simple and straight forward method for “Stopping” and “Starting” the timer at will.  To stop the timer simply copy and paste the following code into the address/location bar of your browser and hit the “enter” or “return” key while you are taking the assessment/test and the timer will stop:

javascript:void(doTimer=false);doOnload();

To start the timer back up simply change the “false” parameter to “true” and hit “enter” or “return” to execute the code once again.  Like magic the timer will start up again where it left off.

Very simple right?  So what harm does something like this do?  Well your not going to get “root” or “own” Brainbench, but now how valid are these assessments and/or exams?  By stopping the timer at will a test/assessment taker can easily go look up the answer to a question he or she has absolutely no knowledge of, and score a perfect score in areas that the test/assessment taker has no knowledge of.  This completely defeats the validity of the assessment, and now these certifications and/or assessment results can no longer be trusted.  Now if I was an organization reading this article and utilizing these assessments I would immediately contact my sales representative and pose the same question, but hey that is just me.  If I took pride in holding these certifications and paid to take these assessments, I would also call or email Brainbench to pose this question to them as well.  This really hurts and/or questions the overall validity of these assessments and certifications.  Maybe if enough people and/or organizations seek out Brainbench’s response and/or support in regards to this matter it can be fixed quickly.

So how can they fix this?  Simply validate or remove the client side “timer” input variable.  Removing it would ensure the timer variable has no impact on the actual exam time and/or timer.  To validate the timer a server side function and/or timer to compare with could be utilized.  The visual timer makes for a good reference for the test/assessment taker, and should not be removed in my opinion, just don’t trust it to be accurate.  Removing the “doTimer” variable would be a good idea as well, since I really can’t come up with a valid reason for having this functionality or variable.  Just start the timer and let it run, no need to check if the timer should be running when a test/assessment taker is actually taking the exam.  I could be wrong here since I didn’t write the code, but then again I could be right too.

Just as a historical reference since I am optimistic that Brainbench will fix this issue in the near future I have recorded a video demonstrating that this vulnerability really did work, and as of today still works.