Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
4wd.com
Posted by: rsnake
Date: November 16, 2006 03:18PM

From another one of our lurkers, this isn't about XSS though, it's about being able to modify the shopping cart:

Quote

4wd.com is a "Scan Alert" certified website. However it has a serious issue with its shopping cart allowing negative quantities to be inserted allowing the total of the purchase to be calculated incorrectly.

http://www.4wd.com/subcategories.aspx?cid=30&sid=188

click the "Add to cart" button next to the "EXTERNAL TORX SOCKET SET"
Checkout page displays:
Quantity: 1 Price: $18.99
Subtotal: $18.99
Estimated Shipping: $9.00
Total: $27.99
this works and displays normal results as expected. Now click the link below and add another item to the cart with a negative quantity.

http://www.4wd.com/productdetails.aspx?cid=30&sid=188&pid=V230
enter a negative number in the quantity; -1 for example, and click "Add to cart".
Checkout page displays:

Item #1: Quantity: 1 Price: $18.99
Item #2: Quantity: -1 Price: ($20.99)

Subtotal: ($2.00)
Estimated Shipping: $3.00
Total: $1.00

See attached document for the actual screenshot of the cart.

Notice the ScanAlert "Hacker Safe" Tested 14 - Nov image in the lower right of the screenshot.

It's suprising that Scan Alert doesn't even test something as simple as this type of attack against a shopping cart!

BTW, love the site ha.ckers.org and the sla.ckers.org forums!

Ouch. I didn't add the screenshot but you get the point. If anyone needs a copy of it for some reason let me know and I'll upload it.

Options: ReplyQuote
Re: 4wd.com
Posted by: Ghozt
Date: November 16, 2006 05:59PM

It's an old trick (I've known about it for a while anyways), I saw a post on someones StumbleUpon page awhile ago about negative quantities and how some companies send you cash if it's all automated (Item is 19.99, you do -1, then send you $19.99), and sometimes you even get the item.

I never tested it, but it seems like it would work. I know for a fact that on more than a few shopping carts you can take the price down to $0.00 and all you have to pay is shipping.

Options: ReplyQuote
Re: 4wd.com
Posted by: digi7al64
Date: November 16, 2006 06:39PM

I was reading something similar to this the other day over at http://www.edgeblog.net/2006/how-to-buy-a-plasma-for-99/ about a common flaw in the CartIt.cgi shopping cart application they examined. Like 4wd.com the site they used as an example has a seal (courtesy of ControlScan).

I guess the brings up the next big problem in automated analysis of web applications...data integrity. For a long time is has been known to never trust form values (especially when it relates to $) but it seems that this is just another aspect of web scanning that is lacking within the industry.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: 4wd.com
Posted by: adio_skater69
Date: November 16, 2006 10:40PM

cant they just change the data type from a real # to an integer?

Options: ReplyQuote
Re: 4wd.com
Posted by: WhiteAcid
Date: November 17, 2006 05:59AM

$quantity = (int) abs($quantity);
That forces it to be a non-negative integer.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 11/17/2006 06:00AM by WhiteAcid.

Options: ReplyQuote
Re: 4wd.com
Posted by: jungsonn
Date: November 17, 2006 06:45AM

Nice find!

damn ugly flaw.

Options: ReplyQuote


Sorry, only registered users may post in this forum.