Javascript Vulnerability #150
Comments
|
Please post your workaround for this issue. Have noticed this issue as well. |
|
It would involve having a file on the server with name value pairings of id to price that the javascript can get through ajax. Ideally there would be some server side language processing handling all of this but I think the idea of simplecart is to not have to deal with those. I could be wrong though. As it is I may have had a secure workaround for a javascript only solution but I can't recall it now. Hopefully it'll come back to me and I'll post is but as far as I'm concerned there's no realy secure way to do it with only javascript. I hope the developers take note of this. |
|
This is the case with Firebug as well, you can just go in and change the pricing ... like @eygraber mentioned the only way I can think of to solve this is using some PHP to pull in the pricing so it always passes the correct amount. Haven't tested this theory though! I guess the user just has to be vigilant but it's a potentially big and unfortunate problem as far as checkout goes. |
|
Pulling in the correct prices from the server is really not the issue here - the malicious user could still modify the form before it is submitted to the checkout service. Either the product prices need to be known by the checkout service in advance (like with PayPal's "saved buttons" or you'll have to pass along some sort of hash of the correct prices (and probably other order details), where the exact algorithm for computing the hash is known only by your app and the checkout service. Indeed this will be very difficult to achieve in only client-side code, as far as I can see. |
|
Hey guys, the security issues have been noted since v1. Out of the box, simpleCart(js) is intended for small traffic, where orders will be individually inspected. If you have higher volume, we highly suggest using some server side code for security. It comes down to the fact that security belongs on the server side... no amount of clever coding or obfuscating will completely secure javascript from being altered. That being said, we have built many sites with simpleCart(js) on high volume sites by checking out to a script on our server, which verifies that item prices have not been altered, then the server side script checks out to PayPal or Authorize.Net. |
|
Sounds reasonable to me; it's just a matter of clarifying the scope/primary intended use of the library. |
|
Definitely. I will work on a blog post with examples of how to be more secure on checkout, and hopefully make the security limitations of a client-side script like this more obvious. |
|
Thanks Brett, looking forward to that blog post. |
|
That blog post would be really helpful, we had some ideas of how this might work in theory but a few examples of how you guys go about implementing this approach would be much obliged! |
|
Even if each order is examined some payment sites might have terms of service that require sellers to honor any sales coming in. It's worth it to read through them and make sure this isn't the case. |
|
Yeh definitely, terms and vigilance is a must ... hopefully I'll figure out a way to get this locked down though. |
|
have a look at my blogstore : http://plus.carpalwatch.com. Using php to verify the values of the items. Managed to add a discount code feature as well. Can create sale by item type, brand, model or SKU. |
|
Looking good @carpalwatch ... any chance you can run us through the process you have in place, or post an example on http://ideone.com/ or something? |
|
Sure! You gotta bear with me though as this is the 1st time i am doing this. Basically, it's just loading php like they were JS. Abit messy though coz i ended up having multiple js loaded. Wanted to make it cleaner bt simply do nt hv e time nw. It is alot of substituting the id attribute of HTML elements to make each field unique. I have also used to hide some sections and admin page. The hidden sections contain buttons for non-IT admin users to create/update/delete each item in the DB. The admin page allows for creation of sales and discount coupons. It's jz a few features tt I need. Admin users can also add options on the fly and in each option, you can increase/decrease the item price. E.g., $20 is added when a premium strap is selected. I am not a pro at this and my codes are all over the place to be honest. I wanted to make it into an easy to use template but I really cannot afford the time now. Email me at the same email listed on http://plus.carpalwatch.com and i can send screenshots n code segments. One thing to bear in mind is u cannot have 2 simpleCarts running on the same page. Only 1 will be loaded. So need to edit the blog template to hide 1 of them on page load. Here is a segment of my codes: Created a function to load php on demand (Refer to http://unixpapa.com/js/dyna.html). Working on currency change feature now and hopefully I can come up with something soon. Perhaps a language change feature next time! =) |
|
Hey — this got lost in an email backlog ;) I'm no PHP nut so I'd be leaving this to the team, but always good to see how others are doing their stuff! I'll shoot you an email then, be good to see how you've cracked it. |
|
@carpalwatch just wanted to let you know that it is still possible to proceed to PayPal checkout page on your site with modified prices. |
|
No they won't, that's what i'm saying. Here's one screenshot i've made https://dl.dropbox.com/u/2731643/carpalwatch.png |
|
Give me your e-mail so i can contact you directly for giving out details. Just in case. |
|
@carpalwatch Works on any browser having a JavaScript console. I feel for ya! |
|
Why is this closed before a fix/solution has been commited? |
|
@carpalwatch - is that store of yours STILL simplecart(js)? I just checked it out and it looks a heck of a lot different than their simple little example. Or did you switch to something else once you realized the security hole was still there? Thanks... and looks great! |
|
Hi Snyder, Yes, it is still simplecart and yes, the security hole is still unresolved as I haven't got the time to do it but I have a pretty good idea how to resolve it now. =) On 03-Jan-2013, at 11:39 PM, N Snyder wrote: @carpalwatch - is that store of yours STILL simplecart(js)? I just checked it out and it looks a heck of a lot different than their simple little example. Or did you switch to something else once you realized the security hole was still there? Thanks... and looks great! — |
|
haha. Yeah,I was too stubborn back then. Wanted to make use of the blogger JSON feed for easy updates and flexibility and blogger security which is quite useless...I went to the extent to create an admin page whereby I can offer discounts or create sales by brand, by SKU and by model or a combination or by discount codes...wanted to do a login module for repeat visitors and to restrict discount codes to specific users but simply have no time to do it...I can do currency exchange using cookies and other features like recently viewed items but I just need to figure out how to fully utilise the JSON feed.sigh...too late for me I guess... It's fun to code though. i like programming but somehow my algorithm, naming conventions and fundamentals are quite screwed up so I ended up with a whole lot of ... that I have no time to resolve such as loading time and stuff. It just keeps piling up. keke. On 04-Jan-2013, at 2:45 AM, N Snyder wrote: Holy crap, you're a genius! I just realized this is a BLOGGER website as I N On Thu, Jan 3, 2013 at 1:07 PM, carpalwatch notifications@github.comwrote:
|
I looked through your code, your demo, and several sites I was able to discover using simpleCart and there is a massive Javascript Injection vulnerability. An end user going through a site that uses simpleCart can simply inject Javascript that will change the price of an item and then add it to the cart, effectively adding an item for whatever price they substitue. For example, on your demo site http://demo.simplecartjs.com/ add the following code into the navigation bar, or using a javascript console (if you use a console leave out the "javascript:") :
javascript:var notUsed = getElementsByClassName("item_price");
javascript:for(i = 0; i < notUsed.length; i++) notUsed[i].innerHTML = "$0.01";
and then checkout. It will go to paypal without an issue and the buyer will be able to purchase items at a price of $0.01 (paypal doesn't allow values of 0). Please contact me for a workaround to this issue.
The text was updated successfully, but these errors were encountered: