I often order pizza in Odessa, most of all I like delivery pizza.od.ua, they do not regret the filling and you can create pizza from your ingredients, in other delivery services you can choose only the pizza that you are offered, add more ingredients or choose other it is impossible. A month or two ago I sat down on the sushi in pizza.od.ua. Since recently, the land is not temporarily delivered, then I found another delivery of sushi and pizza.
I decided to test it for vulnerability.
The first vulnerability – the most popular on such sites – is the lack of verification of the amount of payment for goods (iDOR). There is a variable price in the POST request, there is a finalPrice, finalPrice variable is editable and it will be possible to make yourself a discount for pizza.
POST /buy.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
We change the finalPrice and we paid for the pizza 1 dollar instead of 8. The order was accepted, but the administrators noticed the substitution and refused to send me a pizza.
Second vulnerability. When the order was sent, redirect to http://pizza.com/your_order.html?order=567808&ret=1, the order number is displayed on the page. Instead of the number, enter js http://pizza.com/your_order.html?order=”>&ret=1 and get Reflected XSS vulnerability.
The third vulnerability is
Logout csrf and clickjacking Disclosure information and administraton order panel takeover.
curl1 – this is the address of the site that will be loaded in the frame, looks like base64, decodes it, it turns out http://online.mobidel.ru/makeOrder.php?user=root&password=password&wid=5040&family=data_of_our_order , wid -id of platform, trying to get into admin panel http://online.mobidel.ru/ и у нас это получилось. We look at our order, it is possible (of course, I will not do it) to edit, send for processing on behalf of the Manager and earn a free pizza.
We can also see the data of all customers and current orders
We inform the delivery service of pizza about this vulnerability and get 10 any free pizza or sushi.
29 january. Report.
29 january. “Nice catch!”
30 january. Awarded 20 free pizzas or sushi with a 50% discount (10 free pizzas).
19 february. Vulnerability is fixed.
Now go to mobidel.ru. The order was created in the get request with the username and password in the clear form http://pizza.com/your_order.html?order=567808&curl1=hash. There is a possibility that the same vulnerability exists in other clients. We look at the page with the clients, from there we collect the url of their clients. We checked, it turned out that this was the only case where the username and password are in clear form.
1) Discover Stored XSS.
If I send a script through an order
, then we will steal the cookies of the manager and hack into the admin area of orders of any site where this script will run. Vulnerable fields: Home, time, promotional code, comment.
2) Find another vuln – Bruteforce & Account Takeover.
We pass the registration, we receive a message about activation of the test period in 30 days with our login data
I logged into my account, and immediately could not find where to change my password. Probably, and other users too. So it is – almost every id has a password of 123456. About 2.5 thousand users have a default password (those who activated 30 days for free and some accounts of those who are on permanent basis). Disclose a lot of email addresses, phone numbers and name.
If there was a conditional 123456 password for the manager office, then they did not bother about the courier’s office:
At this company for their services the maximum price of 2500 per month, the minimum 500, they have only 5,600 customers, I am sure that even 2000 of them ordered services, 2000 multiplied by 1000, it turns out $33 000 a month. They earn well (perhaps I’m wrong, and the conversion of 5600 may be less, but still not bad), but they do not care about safety
January 29 – we send 2 messages about the vulnerability finding, on February 28 – one more letter, on March 1 – three more letters, the company still ignores my messages. On March 1, I contacted the head of the pizza delivery service, he dropped the link to the vk programmer, which works in mobel. I wrote to him about the vulnerability, he said, write to the same email address, this time you will not be ignored.
This is not a vulnerability, and your actions are quite logical, the password
123456 standard for everyone, those who use the system on an ongoing basis
it is changed.
those who use the system on an ongoing basis
it is changed. – and those who do not use, you do not care that their personal data is stolen?
Message still get ignored, and here my another answer:
Do not ignore this vulnerability, ignoring is not a solution ofproblem.
+ We send a report about the xss vulnerability with the takeover of any delivery service.
We give the company 20 days to fix its vulnerabilities or at least respond to my messages. This does not happen, I put it in the public.
Conclusion from this article: You never need to put default passwords on accounts, you only need to generate complex passwords, with upper, lower case, numbers and symbols.
Memes on this topic:
Subscribe to twitter and telegram to be aware of the latest articles.
Previous article: [Bughanting] Blind XSS vulnerability on support sites omnidesk .