SECURITY in your everyday e-shop...

I don’t know if what I discovered is good or bad. I really like this site and the prices of its products, but it has a big security flaw, which makes me not use it anymore. In the following paragraphs I will describe what I’ve discovered, but I will not point to the actual e-shop, since this post is purely academic (so to speak). Heads up, nothing illegal…

OWASP and Security

OWASP is a community which identifies, documents and provide tools to avoid Web Application exploits. It’s formed by a group of security specialists who know how to secure a web application. All the documents and tools they create is free.

They have identified the most common attacks which are:

These 3 are the most common and quite easy to exploit, especially XSS and CSRF.

Curiosity

I was browsing the site looking at the products they offer and I was about to buy one of the items. At that point it came to my mind the security training I had last month and I though why not try it here. And so I did. It didn’t took me a long time before I discover the flaw. Basically, you can try directly all the attacks OWASP suggests and you will definitely find holes in that site.

XSS for the win

So, I applied a really well-known attack called XSS (Cross-Site Scripting) you can find very serious holes in a system, which in fact do not hurt the system directly, rather its users/customers. Most of the time the purpose of them is to fetch information about the customer that can lead to taking over his account. An XSS attack is very serious and it’s one of the most common you can find out there.

The XSS can yield information that you can fetch by only retrieving the actual computer of a person and the system that is used for the attack usually does not experience anything significant.

Let’s stop the rumbling here and show you what I’ve done to exploit the site.

<img src=”https://the.image.of.your/choice/goes/here.png” onload=”alert(1);” />

Pretty simple and neat, and you manage to show remote content on a site that you are not supposed to be able to control. If the image you use exists then the onload should work and you will see an alert. If not you will just see the broken image.

To use this attack you simple send the following link to someone and when they click on it you have access to whatever you want in their browser. So, a simple email (with a masqueraded link) is enough.

You can run whatever you want on their browser and they won’t even notice.

https://your-everyday-eshop.com/search.html?keyword=<img+src%3D”http%3A%2F%2Furl.to.file.which%2Fnot.exist”+onerror%3Dalert%28document.cookie%29%3B>

How to Prevent Problems

There are a lot of companies (serious + big) that pay money when you find bugs related to those 3 attacks. They do that because those attacks can lead to serious problems for their users and themselves.

Privacy

It’s very common that companies pay some security company to audit their system to find exploits of their system, so they can harden their system. Those audits are expensive so not everyone can afford them, however you can do train your employees to prevent basic exploits like the aforementioned. Basically you need to make sure that what you give back to the user is not open to modification, the simplest way to accomplish this by sanitizing, most importantly your outputs and your inputs. So, any POST form you might have must filter the input and make sure when the input is given back as an output that is sanitized. Every decent web framework has a function to sanitize text.

Conclusion

Nothing is SAFE!!! SSL certificates and security certificate stickers claiming high security and safety don’t mean anything.

References

Disclaimer

This post is to warn web developers on the simple attacks you can perform on a site. Be careful people, you don’t want to make this mistake. Of course I will not tell you the site. The purpose of this exploit is to demonstrate how easy it is to hack a very successful site (as they claim). As a matter of fact I have already contacted the site to make the fix.

NOTE: originally posted on https://medium.com/@ipinak/security-in-your-everyday-e-shop-e8852777bac