Buca di Beppo — Italian Fine Dining with an Unpatched Bug

Spaghetti, Meatballs, Marinara and Cross-Site Scripting (XSS)

Ax Sharma
Ax Sharma
Jun 25, 2018 · 4 min read
Image for post
Image for post
Image for post
Image for post
Father’s Day Special Newsletter: “Be Dad’s Favorite — Bring Him To Buca!”
Image for post
Image for post
Imitation of a Buca di Beppo coupon with the highlighted First and Last Name placeholder fields

Proofs of Concept (PoCs)

1. Malicious XSS Injection(s)

The following URL, when clicked, creates an alert box along with the background with the words “You’ve been hacked.” to demonstrate that the website’s DOM has been overridden and therefore the Integrity can be completely compromised — the page cannot be trusted. The malicious actor could put an “enter your email address to verify” form field there, an iframe or worse.

Image for post
Image for post

2. Malicious Redirections

Of course, if popups are enabled on the user’s web browser, the malicious attacker is able to redirect oneself to a phishing page of their choice, with the domain portion of the URL still looking intact.

3. Session Hijacking & Cookies!

Session IDs and tracking cookies for bucadibeppo.com and offers.bucadibeppo.com domains can be obtained and sent to the attacker for easy session hijacking. I’m not aware of the primary Buca di Beppo domain hosting any sensitive data (e.g. credit cards) but it remains a possibility in the near future. As of now, the “ordering” workflow is handled via a separate order.bucadibeppo.com subdomain.

Image for post
Image for post
Cross-Site Scripting (XSS) to retrieve a website’s cookies!

Remediation

Here are some pointers which would help remeditate XSS vulnerabilities — I figured we need not reinvent the wheel ;-)


Disclosure Timeline

I had originally discovered the vulnerability months ago — March 17th, 2018 to be exact. However, repeated attempts to reach Buca di Beppo electronically have either failed or been unfruitful. This has been the most difficult reporting process I have ever dealt with.

Image for post
Image for post
Email bounced back with auto-generated response
Tweet sent to BucadiBeppo official Twitter ignored

AxDB

Accidental eXposures Database (AxDB) — a publication…

Ax Sharma

Written by

Ax Sharma

Security Engineer | Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Ax Sharma

Written by

Ax Sharma

Security Engineer | Researcher | Tech Columnist | https://hey.ax

AxDB

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store