SECURITY in your everyday e-shop…

I don’t know if what I discovered is good or bad. I really like this site and the prices of its products, but it has a big security flaw, which makes me not use it anymore. In the following paragraphs I will describe what I’ve discovered, but I will not point to the actual e-shop, since this post is purely academic (so to speak). Heads up, nothing illegal…

OWASP and Security

They have identified the most common attacks which are:

  • SQL Injection [1]
  • XSS [2]
  • CSRF [3]

These 3 are the most common and quite easy to exploit, especially XSS and CSRF.

Curiosity

XSS for the win

The XSS can yield information that you can fetch by only retrieving the actual computer of a person and the system that is used for the attack usually does not experience anything significant.

Let’s stop the rumbling here and show you what I’ve done to exploit the site.

Pretty simple and neat, and you manage to show remote content on a site that you are not supposed to be able to control. If the image you use exists then the onload should work and you will see an alert. If not you will just see the broken image.

To use this attack you simple send the following link to someone and when they click on it you have access to whatever you want in their browser. So, a simple email (with a masqueraded link) is enough.

You can run whatever you want on their browser and they won’t even notice.

https://your-everyday-eshop.com/search.html?keyword=<img+src%3D”http%3A%2F%2Furl.to.file.which%2Fnot.exist”+onerror%3Dalert%28document.cookie%29%3B>

How to Prevent Problems

It’s very common that companies pay some security company to audit their system to find exploits of their system, so they can harden their system. Those audits are expensive so not everyone can afford them, however you can do train your employees to prevent basic exploits like the aforementioned. Basically you need to make sure that what you give back to the user is not open to modification, the simplest way to accomplish this by sanitizing, most importantly your outputs and your inputs. So, any POST form you might have must filter the input and make sure when the input is given back as an output that is sanitized. Every decent web framework has a function to sanitize text.

Conclusion

References

[2] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

[3] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

Disclaimer

--

--

⌘ Software Plumber ⌘

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store