14

I really just came across this on a legit apartment rental website.

I can see no possible way for this to go wrong.
No possible way that anyone could exploit this... 🙃

Comments
  • 2
    Wow boy!
    Some ones asking for a world of pain out of that one.
  • 0
    can you explain how you would exploit this? is the serial number an api key or something?
  • 7
    @calmyourtities What would happen if someone were to change the

    <NONREFUNDABLE-APPLICATION-FEE>

    40.00

    </NONREFUNDABLE-APPLICATION-FEE>

    to

    <NONREFUNDABLE-APPLICATION-FEE>

    0.00

    </NONREFUNDABLE-APPLICATION-FEE>

    or

    <NONREFUNDABLE-APPLICATION-FEE>

    -40.00

    </NONREFUNDABLE-APPLICATION-FEE>

    and/or change the <TO-EMAIL>...</TO-EMAIL>

    ? I wonder. Not going to do it, but this implementation just made me laugh.
  • 5
    I got the ad for a local coffee business providing a free jar of coffee if you order a combo pack of four coffee jars.

    I proceeded to try to delete the combo from the cart via Chrome's Inspect Element to see how it handles it, and well, it does not handle it very well because I got to order a free jar worth 350 bucks in my local currency, for the price of 30 bucks for shipping that had to be paid anyway.

    The next time I tried it they had obviously patched it, but I'll never forget that look on that courier person's face (who was probably affiliated with the business) when he realized that I was paying for just the shipping and getting a free jar for ordering nothing else.

    I know it is kind of dishonest on my part but if you're gonna annoy me with so many ads on my Instagram feed then it's all fair game.
  • 0
    @corscheid please show me how you do that in a real world example. It is not possible. Only if there is an XSS on that page. But for that you need to achieve to excecute that XSS on the users web browsers.

    So how ever shitty this code is, it is not exploitable.
  • 4
    @Tr33 As far as I know, someone would just modify the code right there on the page using the element inspector, then hit the submit button which posts the XML to PHP with that data as modified.
  • 2
    Couldn't one even use Postman or Insomnia to POST a modified version of that XML data to that PHP page?
  • 0
    @corscheid okay i see, I miss understand what you was writing about. But I'm pretty sure that the service has some checks for that.

    Still would be interessting what happens if the value would be between 0 and 40.
  • 0
    @Tr33 Yeah, I have a strange feeling that posting 1.00 would actually work for real, saving 39.00 USD in this case 😂
  • 0
    Please explain how it is fundamentally different from a situation where you manually enter your sensitive data into an input field. Both are DOM entities containing sensitive data.

    If a malicious script ends up on the page, your data is compromised either way.
  • 4
    @uyouthe in this instance the non-refundable amount is stored client side, allowing the user to manipulate it, which can harm the business, for example if you made that -$100 and your order was $20, that's a $80 refund if the system doesn't handle it and validate it. Which is likely since it's accepting client side data and not creating this value on the server side.

    Also the return URL can have sensitive data posted to it which is required by the receiving page, this could potentially leak internal access keys, as there is a URL being posted too and then you would be jumped to the return URL. That middle page could be sending data back through.

    Or it could just be a thank you page.
  • 1
    @C0D4 so the problems are no server-side validation and an unsafe redirect. You haven’t mentioned a single one of those in your rant
  • 0
    @uyouthe it's possible, and sadly it's 2020 and still happens.

    Ps: it's not my rant 🙃
  • 1
    @C0D4 fuck, I messed up the mention thing again.
  • 1
    @C0D4 -$100? That's really how you're supposed to write it?
  • 0
    @corscheid i believe that's only data sent with the rest of the webpage. i think if you changed it, the backend would reject it.
  • 0
    @electrineer or $-100 or ($100).
    Many ways to write a negative $ amount 😕
  • 0
    @C0D4 -100$ looks more sane
  • 0
    -100.00

    ?
  • 1
    or if not validated it could even be something besides a number all together. like code.
Add Comment