| | Catalog services harnessing the merchandising power of the internet!SM |
|
|
|
|
| Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications |
 |
|
Synopsis:
There are form tampering vulnerabilities present in several web-based shopping cart applications. Over the past couple of years, form tampering vulnerabilities have been discussed on security forums. ISS X-Force has continued to research this area due to the constant increase in e- commerce. ISS X-Force has identified eleven shopping cart applications that are vulnerable to price changing using form tampering. It is possible for an attacker to take advantage of the form tampering vulnerabilities and order items at a reduced price on an ecommerce site. The web store operator should verify the price of each item ordered in the shopping cart application database or email invoice. Description: Many web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price. An application that bases price on a hidden field in an HTML form may be compromised by this vulnerability. An attacker could modify the HTML form on their local machine to change the price of the item and then load the page into a web browser. After submitting the form, the item is added to their shopping cart at the modified price. Vulnerable shopping cart applications use a hidden field containing the price of an item. When the value of that hidden field is changed, the shopping cart application stores the changed price in its database and/or e-mail invoice. This vulnerability can also affect hidden discount fields in the HTML form. An attacker can modify the discount fields to get a discount on items without actually modifying the price in the form. If a site processes credit card orders in real time, it may not be possible to verify the price of each item before the credit card is charged. Another situation that can lead to price changing occurs when the price of an item is listed in a URL. When clicking a link, the CGI program will add the item to the shopping cart with the price set in the URL. Simply changing the price in the URL will add the item to the shopping cart at the modified price. Shopping cart software should not rely on the web browser to set the price of an item. Several of these applications use a security method based on the HTTP header to verify the request is coming from an appropriate site. The applications tested do not check to see if there is a referrer in the HTTP header, so the transaction will continue if the form is submitted from a hard drive. Microsoft Internet Explorer 5.0 does not include a referrer field in the HTTP header if the form is submitted from a page stored on a local drive (see Microsoft Knowledge Base article Q178066). The inclusion of a referrer field makes it more difficult to exploit these form tampering vulnerabilities. However, a referrer field can be modified, allowing an attacker to take advantage of these vulnerabilities. |
