search

wojodesign / simplecart-js

A simple javascript shopping cart that easily integrates with your current website.
simplecartjs.org
1.79k stars 490 forks source link

simpleCart security problems #329

Closed jarmo closed 11 years ago

jarmo commented 11 years ago

Hi!

Since everything is at the client side and one of the slogans is No databases, no programming, no headaches. then you will get headaches from the situations when users will change the price of your items to be cheaper.

For example: 1) go to http://simplecartjs.org/ 2) execute the following code in the javascript console:

$(".simpleCart_shelfItem:first .item_price").text("$0.01")

3) add "Inception" to your cart 4) proceed to checkout with $0.01

You can also change the price after it is added to the cart: 1) go to http://simplecartjs.org/ 2) add "Inception" with 19.99 to your cart 3) execute the following code in the javascript console:

simpleCart.find({name: "Inception"})[0].set("price", 0.01)

4) proceed to checkout with $0.01

You can also change the items directly with modifying localStorage: 1) go to http://simplecartjs.org 2) execute the following code in the JavaScript console: localStorage.setItem("simpleCart_items", "{\"SCI-5\":{\"quantity\":1,\"id\":\"SCI-5\",\"price\":0.01,\"name\":\"Inception\"}}") 3) refresh your browser 4) proceed to checkout with $0.01

It would be also possible by some XSS attack to change the payment receiver. Only the following JavaScript code is needed to do that:

simpleCart({
  checkout: { 
    type: "PayPal" , 
    email: "me@mine.com" 
  } 
});

Only secure way is using "SendForm" checkout type and doing additional checks on the server side before actual checkout, but this works only as long no-one changes the checkout type to "PayPal" or to any other convenient checkout types.

DahmaniAdame commented 11 years ago

Anything using client side scripting will end up being hacked. As of the current JavaScript technology, I can't see how SimpleCart can be secured.

It will need the help of a server side system to verify the order's content from malicious manipulation and pass it to any payment processing party, or simply send it by email. It's the only way to be 100% certain that all orders are not in any way manipulated.

Again, SimpleCart was meant to be a light client side solution for micro shopping websites. Still, the above hacks are really annoying as small as your shop could be.

Thanks for sharing it though :)

jarmo commented 11 years ago

That's my point and i don't see any mentions about that in the documentation or README - i'm pretty sure that many users of simpleCart.js don't know these possible issues before they will get scammed/hacked.

Also, since simpleCart.js makes it really easy to change the payment providers, then it is possible to hack that too via XSS, even if you're using e-mail or server for verification. Of course it makes it a little harder, but nevertheless the vulnerability is there waiting to happen.

DahmaniAdame commented 11 years ago

Looks pretty nasty!

May be SimpleCart should reconsider supporting payment methods, till somebody drop a server side verification system and a checkout solution.

I highly advice people using SimpleCart as it is to rely on SendForm method. If they can take the risk of receiving price hacked orders, they can add the following policy on their websites : Any price manipulated orders are non refundable. Makes you few bucks from smartass hackers' pockets!

iamstevemckinney commented 11 years ago

Hey everyone, this issue has been discussed at length in another thread. Here is a reply from the author of the simpleCart(js) explaining it. https://github.com/wojodesign/simplecart-js/issues/150#issuecomment-2726730

I do agree that this needs to be more apparent up front and in the coming months we'll work on making this very clear in the README and on the website. We do mention it on the features page here, http://simplecartjs.org/features/ and it has been mentioned in our blog posts when we announced and released simplecart (before there was even a website), but that is not acceptable enough to make it clear to all the people that download this free script.

jarmo commented 11 years ago

I didn't find the security flaw mentioned on features page before clicking on the "View All Features" button. It is very cleverly hidden although quite serious problem :(

I don't understand why you closed this issue, since the other one is also closed. I would keep it open as long as the security problems are mentioned prominently somewhere. Otherwise this issue should not be considered as closed IMHO.

oaass commented 11 years ago

+1 @jarmo This needs to stay open until you post a workaround in the README/blog/whatever or a fix has been commited.

jarmo commented 11 years ago

Created a new issue (#334) because this does not seem to get reopened.

seachanged commented 11 years ago

Thanks for the very helpful comments about security problems with simplecart. I'm going to use the sendform option and verify the prices and item numbers on the server. Since I'm driving the store content from a lightweight database and template system on the server side anyway, it's no extra trouble to access that database one more time to check the items and prices before I commit.