Postmortem and Further Countermeasures
ACME Fashions, Inc., suffered tremendous losses of time and money because of three critical mistakes over a period of time. All these mistakes were attributed to the lack of input validation and trust in the integrity of data received from the Web browser. Let's review these shortcomings again.
The first flaw was caused by the improper use of hidden fields. Crucial information such as product ID and price were passed via hidden fields in HTML forms. Recall that, once the HTML response is sent by the Web server to the Web browser, the server loses all control over the data sent. HTTP is essentially stateless, and the server can make no assumptions about whether the data returned is intact or has been tampered with. Hidden fields can be manipulated on the client side and sent back to the Web server. If the server doesn't have any way to validate the information coming in via hidden fields, clients can tamper with data and bypass controls enforced by the system. To protect systems from such attacks on data integrity, Web site developers should avoid passing information via hidden fields. Instead, such information should be maintained in a database on the server, and the information should be pulled out from the database when needed.
Shopping Carts with Remote Command Execution
Many commercially available shopping carts suffer from a lack of input validation in parameters passed via the URL or hidden fields. That lack allows Meta-characters to be inserted to achieve remote command execution. Here are some headlines taken from various security information portals regarding vulnerabilities in shopping carts:
September 6, 2001—ShopPlus Cart Commerce System Lets Remote Users Execute Arbitrary Shell Commands
September 8, 2001—Hassan Consulting Shopping Cart Allows Remote Users to Execute Shell Commands on the Server
September 19, 2001—Webdiscount.net's eshop Commerce System Lets Remote Users Execute Arbitrary Commands on the System and Gain Shell Access
October 20, 2001—Mountain Network Systems WebCart Lets Remote Users Execute Arbitrary Commands on the Web Server
All these shopping carts fail when the pipe character is inserted in one of the URL parameters. The exploit URLs for these carts are:
http://targethost/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;c at%20/etc/passwd| http://targethost/cgi-local/shop.pl/SID=947626980.19094/page=;uname+-a| http://targethost/cgi-bin/eshop.pl?seite=;ls| http://targethost/cgi-bin/webcart/webcart.cgi?CONFIG=mountain&CHANGE=YES&NEXTPAGE=;ls|&CODE=PHOLD
As a result, all these shopping carts end up passing unchecked parameter contents to Perl's open() function for opening a file.
The final vulnerability was caused by the lack of input sanitization in mywebcart.cgi. Whenever data is passed by fields in HTML forms to critical functions such as open(), care must be taken to remove any combination of symbols or meta-characters. Two main input validations must be performed: one for the length of the data received (to avoid buffer overflow attacks) and the second for meta-characters. In this case, Acme has to insert an input sanitization to filter meta-characters such as “&,” “%,” “$,” “|,” and “<.” For a nearly complete list of input sanitization routines in all the major Web languages used today, review Chapter 1.
Additional security issues relating to e-commerce shopping systems, in general, include information retrieval from temporary files on the server, poor encryption mechanisms, file system directory exposure, privilege escalation, customer information disclosure, alteration of products, alteration of orders, and denial of services. All offer vulnerabilities to attack and are present in many e-commerce application implementations.