11.24.07
Lax Web Application Security
I know it shouldn't surprise me anymore... but it still does. Every time I visit a site and see a massive, gapping hole in their webapp security. I can get missing an XSS or some other input validation... it's not good, but it happens... what I don't get is shopping cart apps that allow the customer to change the purchase price.
I was visiting the online ordering system of local pizza/pasta place and noticed the links I was clicking on for the first time. The query looked something like this:
'add=310,1,8.95,Sandwiches,veggie&returnto=/top.php'
This translates to: item number, quantity, price, category, description.
Now the first obvious problem is that we've got an open redirect on the 'returnto' field. The second problem is that we can modify the price (change field three) and we can inject text via either category, description and price, all of which are printed to the page. I did notice that the '<' character was stripped, but that's the only character that I noticed.
As I said, this probably shouldn't surprise me anymore but it still does. The kicker... there's no administrative contact info on the website to point out these flaws to them.
kingthorin said,
November 26, 2007 at 11:23 am
I’m sure there’s a phone # somewhere on the page. If it’s a big chain then that might not help, however, if it was a big chain this issue probably wouldn’t exist.
You could always see how long you can enjoy $0.01 sandwiches. I suspect they’d notice pretty quick though. Even if the guys making the sandwich/delivering the order doesn’t know how or why the bill is messed up I’m sure he would notice that it was messed.