- Introduction
- Building an Electronic Store
- Evolution of Electronic Storefronts
- Robbing Acme Fashions, Inc.
- Overhauling www.acme-fashions.com
- Postmortem and Further Countermeasures
- Summary
Postmortem and Further Countermeasures
ACME Fashions, Inc., suffered tremendous losses of time and money because of three critical mistakes over a period of time. All these mistakes were attributed to the lack of input validation and trust in the integrity of data received from the Web browser. Let's review these shortcomings again.
The first flaw was caused by the improper use of hidden fields. Crucial information such as product ID and price were passed via hidden fields in HTML forms. Recall that, once the HTML response is sent by the Web server to the Web browser, the server loses all control over the data sent. HTTP is essentially stateless, and the server can make no assumptions about whether the data returned is intact or has been tampered with. Hidden fields can be manipulated on the client side and sent back to the Web server. If the server doesn't have any way to validate the information coming in via hidden fields, clients can tamper with data and bypass controls enforced by the system. To protect systems from such attacks on data integrity, Web site developers should avoid passing information via hidden fields. Instead, such information should be maintained in a database on the server, and the information should be pulled out from the database when needed.
Shopping Carts with Remote Command Execution
Many commercially available shopping carts suffer from a lack of input validation in parameters passed via the URL or hidden fields. That lack allows Meta-characters to be inserted to achieve remote command execution. Here are some headlines taken from various security information portals regarding vulnerabilities in shopping carts:
September 6, 2001—ShopPlus Cart Commerce System Lets Remote Users Execute Arbitrary Shell Commands
September 8, 2001—Hassan Consulting Shopping Cart Allows Remote Users to Execute Shell Commands on the Server
September 19, 2001—Webdiscount.net's eshop Commerce System Lets Remote Users Execute Arbitrary Commands on the System and Gain Shell Access
October 20, 2001—Mountain Network Systems WebCart Lets Remote Users Execute Arbitrary Commands on the Web Server
All these shopping carts fail when the pipe character is inserted in one of the URL parameters. The exploit URLs for these carts are:
http://targethost/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;c at%20/etc/passwd| http://targethost/cgi-local/shop.pl/SID=947626980.19094/page=;uname+-a| http://targethost/cgi-bin/eshop.pl?seite=;ls| http://targethost/cgi-bin/webcart/webcart.cgi?CONFIG=mountain&CHANGE=YES&NEXTPAGE=;ls|&CODE=PHOLD
As a result, all these shopping carts end up passing unchecked parameter contents to Perl's open() function for opening a file.
The second obvious mistake was using client-side scripts to perform input validation. Code developers are always tempted to use JavaScript or VBScript to have code executed on the client side and remove the burden from the server. However, client-side scripts are as fragile as hidden fields when it comes to the lack of tamper resistance. Client-side scripts only are to be used for smooth navigation or adding extra interactivity and presentability to the Web page. An attacker can easily bypass or modify client-side scripts and circumvent any checks enforced by them. As in the Acme case, attackers can inject negative quantities with ease, bypassing any restriction imposed by the embedded JavaScript. Similarly, some Web-based storefront systems perform arithmetic operations on the client side, such as computing the total quantity and price of an order within the fill-out form itself. To the customer, it is a nice feature when they can see prices updated on the browser without submitting the values to the server and waiting for a response. However, this technique must be avoided at all costs and the application must be designed in such way that all important validations and computations are executed and verified on the server side so that attackers cannot manipulate the data. The golden rule is: “Thou shalt not trust data coming from the client.”
The final vulnerability was caused by the lack of input sanitization in mywebcart.cgi. Whenever data is passed by fields in HTML forms to critical functions such as open(), care must be taken to remove any combination of symbols or meta-characters. Two main input validations must be performed: one for the length of the data received (to avoid buffer overflow attacks) and the second for meta-characters. In this case, Acme has to insert an input sanitization to filter meta-characters such as “&,” “%,” “$,” “|,” and “<.” For a nearly complete list of input sanitization routines in all the major Web languages used today, review Chapter 1.
Additional security issues relating to e-commerce shopping systems, in general, include information retrieval from temporary files on the server, poor encryption mechanisms, file system directory exposure, privilege escalation, customer information disclosure, alteration of products, alteration of orders, and denial of services. All offer vulnerabilities to attack and are present in many e-commerce application implementations.