Tuesday, February 14, 2017

XSS Vulnerability in BeanBag.LK website - A story of working with unprofessional "professionals"

Recently I wanted to buy a beanbag for home and I just googled for the shops in Sri Lanka to buy one. Out of the search results, the very first one was beanbag.lk which seemed to be selling beanbags. The website provides online ordering facility as well which is convenient for the buyers.

For placing an order, we need to fill a form with basic information like name, email, telephone number etc. Before filling the form, I just checked if the web page is served via HTTPS, just to make sure the data I enter in the form don’t get leaked down the lane. The web page was not being served via HTTPS and also I noticed that there were two query parameters ‘size’ and ‘bb’ in the URL where the same values of them were visible on the web page.




So, I just thought of doing some basic security testing on the website to find the quality of the website in terms of security.

I injected a javascript to the query parameters and found that the website does not do any sanitizing (escaping / encoding) on the values of the query parameters.


The javascript executed in the browser providing that the website was vulnerable to XSS.

I sent the following email to the address I found in the contact us page of beanbag.lk website. This was on 2nd of January 2017.

Then I forgot the story as well and also did not get any reply from BeanBag.LK company. After 1 month, I sent a reminder to them mentioning that I was planning to write this in my blog.


I noticed that they were active on Facebook, so I sent a facebook message to them regarding this issue, and the replied back.

Then the BeanBag.LK team had forwarded my email to the developers of the website which is an external company that develops websites. From them, I got the following email where they requested me to provide the information on the vulnerability.

So I created a detailed security report to inform them about the vulnerability, the root cause for this and steps for fixing the issue. (You can find the report here [1]). I sent them the following email and shared the report with them.


Then I received the following email from the development company of the website where they claimed that the issues I reported were negative. According to their response, the website is not vulnerable because there is no database used. I reported Cross Site Scripting vulnerabilities but this seems they they had misunderstood it with SQL Injection.

In their email, they had attached an official letter as the response from their security team. However in that, they had accepted that running javascripts in the browser is possible by modifying the URL, but they have mentioned that a genuine user would not do this. Surprisingly, it seems that they do not know what an attacker do with a single XSS vulnerability in the website.



So I prepared another document giving an example on how an attacker can use the BeanBag.LK website’s good name for achieving his malicious desires. (You can find the document here [2])

A basic example is displaying some message in the website that is not good for the business. This could be easily done with a URL like http://beanbag.lk/order.php?size=Bean Bags&bb=We no longer sell


Another example is stealing some email addresses by an attacker which can simply done through a URL like below.


The attacker can shorten the URL and share publicly to attract the victims.


Then I sent them the following emails asking them to do their research before declining my claims.


To prove my claims, I just ran the OWASP ZAP tool against the order.php page of beanbag.lk website and within couple of minutes, it generated the vulnerability report that contained the XSS vulnerability listed as a high critical issue.


Although the development company had mentioned in their response that they do run necessary security tests before putting a website live, this proves that it is not the case. I doubt if they have a security team within the company. If they have, then the skill set and the tools they use are totally useless in my opinion.

I sent them the following email attaching the OWASP ZAP report.


This is the response I got from them were they were still denying my claims just to protect their company name.
Further, in the response he mentions that through the URL http://beanbag.lk/order.php?size=Bean Bags&bb=We no longer sell , attackers cannot inject values as it gives error.

So when I tested after their response, it was giving an error. So clearly it seems they did a fix to prevent injections through query parameters.


Simply they have whitelisted the values for query parameters. Now it only accepts a predefined set of values for the query parameters and if we inject any other value, it would simply display a message as ‘Error’.

I ran the OWASP ZAP tool again for the order.php website and I could see that the XSS issue is no longer there. (you can see the generated report here)

I did not want to continue contacting these guys as clearly they are unethical and unprofessional. So I sent them the following response and stopped chasing on this. As the issue is fixed on the website anyway, there is no point of continuing the thread and wasting time.


If you are a developer and reading this article, you need to understand that it is totally OK to do mistakes and when someone reports, you need to accept it and get your mistakes corrected.

If you are from an organization where your website is developed by an external outsourced web development company, you need to make sure that they are qualified enough to do the job. Otherwise although you are paying them, they are putting the good name of your business and the loyal customers who view your website in danger.

By writing this article, I have no intention on doing any damage to the beanbag.lk business or the web development company responsible for this issue. I am just sharing my experience as an independent security researcher who works towards making the cyber space a secure place for everybody.

References



Tharindu Edirisinghe (a.k.a thariyarox)
Independent Security Researcher

10 comments:

  1. very impressive and fantastic way of teaching. Thumbs up.

    ReplyDelete
  2. This is a clean disclosure. Most developers are not willing to accept the flows in their designs. This is one moment. Nice article Mr. Tharindu

    ReplyDelete
  3. Excellent write up Tharindu, on point! Disappointing reactions from the culprits though.

    ReplyDelete
    Replies
    1. Hellow,

      I am From this Development Company and our Client (beanbag.lk)has been repeatedly informing us that this outdated post is running up and their Company name should be confidential. No issues accusing us Culprits as the Client Sent this Link I read this and Our Project Manager Informed be regarding the Link. Please remove this link or else Beanbag.lk and Our DEvelopment Company both will make sure we file a police / Human Right Complain of Accusing us and using of our property. Please Tharindu Make sure you don't use these words White Vans and all da stuff cuz we are not interested to see your power and again I will check back this Link within 7 Days and take Action. And also I cannot directly Contact You in Anyway as Mr.Akeel told that he had no way of Accessing Your Only Contact Way - Facebook. In 7 Days I / Our Director / Relevant Personnel will contact you using official Emails.

      Delete
    2. If you are from the development company who is responsible for this, do you accept that the way you reacted to cover up your incapability to secure your client websites is inappropriate ? If you are willing to officially accept that sending me an email (same email I used to inform you about this vulnerability), then I have no issue with taking down the post :)

      Delete