November 14, 2006
How secure is your web application? Are you sure? We are constantly amazed at the lack of basic security many companies employ online. For instance, it has been known for years that e-commerce sites utilizing hidden fields are susceptible to manipulation. The problem doesn’t seem to be getting any better, and is actually being made worse by some service providers. Many smaller hosting companies offer software solutions to help small businesses get online “faster” and “easier.” This almost never translates to more secure.
Which brings me to the title of this article. During my studies for the CEH exam, I was exposed to the seriously flawed CartIt.cgi shopping cart application. CartIt.cgi is a widely used shopping cart that stopped being developed last year. The reason this application is flawed is that it uses hidden fields within the HTML POST to submit the price and quantity when the user clicks on the add-to-cart button. Hidden fields are easy to manipulate. One of the easiest is to use a local proxy, such as Paros, to intercept the POST, effectively launching a man-in-the-middle attack. This allows you to change the price before it is submitted to the server.
Doing a simple Google search for cartit.cgi+plasma, I found a web site that sells plasma TVs (Which shall remain nameless to prevent being sued). The website thinks it is selling TVs for $7,599, but we can pay whatever we want by intercepting the POST and changing the price. If you think the company would catch this error, think again. Many companies outsource the fulfillment of orders, and never check the prices being charged. Note: I do not endorse e-shoplifting, so I did not complete the above transaction, but I know for a fact that the site will accept the order for $.99. Now, $.99 is extreme enough to *maybe* raise a flag. A simpler approach is to just move the decimal over 1 or 2 places. This way, if the company does notice, they will assume it was a processing error on their side. So maybe this article should be titled: “How to buy a 65″ plasma for $75.99.”
Another simple search for CartIt reveals that many hosting companies are still actively supporting CartIt.cgi. For example, IM1 Web Hosting calls CartIt “a powerful e-commerce solution for merchants and professional Webmasters…CartIt is an extensible, scalable shopping cart system that can handle just about any product or product combination you throw at it.” Disgraceful.
Note also that the shopping cart displayed above was deemed secure by VeriSign, Control Scan, BBB Online, Mastercard, & Visa. How much confidence do you have in those programs now??? Hopefully not much.
The exploit described above is not unique to CartIt. There are many shopping carts that use hidden POST fields. A shopping cart should allow the user to submit the SKU and the quantity, but never the price. The price should be queried from a database. The point here is that if you do not know how your applications work, you cannot rely upon their security. If you are using a shopping cart provided by your hosting company to run your site, we recommend you check it for these exploits. Failing to do so can be hazardous to your bottom line.
Editor’s note: The techniques described in this article are for educational purposes only. We do not encourage or endorse the manipulation of 3rd party web applications to change the price. E-Shoplifting is a crime.