Actual Exploit

Here is an exploit that you are sure to find all over the web. I often look at shopping carts from a security perspective, specifically data sanitation. You can find a nearly limitless number of sites that allow you to alter data being submitted back to the server but not all of them have such a lack of re-checking the data you are sending as this particular site. I went the extra mile on this one and took 2 screen shots for validation.



I know that these are kind of small however you can get the idea here. In the above shot, you can see that I have 3 items in the cart. 2 items for $47.99 and 1 for $247.99. I tried to make the change more obvious so I just removed the 2 from the $247.99. Also notice that we are not in an HTTPS session at this point. Ironically or maybe not, I modified the cart prior to this page and changed the quantity from 1 to 2 of the item for $47.99 and it again did not check the price and simply updated the quantity without further use of the intercepting proxy. I added the regular priced item for the comparison. So this part is mostly unimpressive as I mentioned earlier this is quite common on the web. The next stage is the real test as the server must review the data I am asking to pay for in the request which takes me to the check out screen. Of course this site does NOT do that as you can see in the shot below:



So now we can see that I am in a HTTPS session, all safe and secure right??? Pointless... Anyway, I have made it to the final screen to check out, enter my payment method and shipping address and the price has NOT been changed to the correct amount it has remained in the altered state that I have set. The final test would be to complete the order however that is not my intention for obvious reasons. It is possible that they would validate the data during the final confirmation process however it would seem to me that would be VERY unlikely having arrived at this point unchanged. To fully exploit an over sight such as this it should be apparent that you would also need to have stolen someone's identity and credit card info and have a safe delivery point unless you are willing to take a potentially unnecessary risk with an encounter with law enforcement. Doesn't seem worth it for a few hundred dollars however this example exists elsewhere at potentially more lucrative destinations. I did think that a site such as Home Depot, Walmart, Lowe's or other retailers that allow you to purchase the item online and then pick it up at your local store may be a better choice for such a stunt as many of them accept online or "web" orders. If you have ever purchased from at least Home Depot or Lowe's when you go in to sign out an order such as this, your receipt is tiny and the sheet they look at to sign off on your pick up does NOT have the amount paid on it, only the item numbers and quantities being picked up. It would seem to me that no one would catch this at the store during the pick up because they would not be looking for it. Just goes to show that a companies security posture resonates all they down to the lowest link in the chain.