Re: [Full-disclosure] Exploiting an online store
On Wed, 14 Sep 2005, Josh perrymon wrote: I was reading an article about an attacker that could have changed a price in an online shopping cart- Snip Next, Reshef performed a little number he calls ``electronic shoplifting'': He edited the site's online order form to reduce the price of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef actually could have purchased the book for the reduced price, adding a whole new spin to Priceline.com's ``name-your-own-price'' marketing campaign. Reshef's exploits didn't require any sophisticated software or particularly detailed knowledge of computer code. ``The only thing you need is an HTML editor that comes bundled with your Netscape or Internet Explorer browser,'' he said. ``There is no magic to this.'' --- There is no client side security. Period. Who wrote the shopping cart and allowed posting the price to it?? Wow ... -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Exploiting an online store
I was reading an article about an attacker that could have changed a price in an online shopping cart- Snip Next, Reshef performed a little number he calls ``electronic shoplifting'': He edited the site's online order form to reduce the price of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef actually could have purchased the book for the reduced price, adding a whole new spin to Priceline.com's ``name-your-own-price'' marketing campaign. Reshef's exploits didn't require any sophisticated software or particularly detailed knowledge of computer code. ``The only thing you need is an HTML editor that comes bundled with your Netscape or Internet Explorer browser,'' he said. ``There is no magic to this.'' What are laws on this?? What if the guy did make the transaction using his credit card? Since it is just a web transaction sending html from the client to the server what proof would they have? Joshua Perrymon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploiting an online store
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh perrymon Sent: Wednesday, September 14, 2005 4:05 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Exploiting an online store I was reading an article about an attacker that could have changed a price in an online shopping cart- Snip SNIP Reshefs $22.95 to $2.95 sploit What are laws on this?? What if the guy did make the transaction using his credit card? Since it is just a web transaction sending html from the client to the server what proof would they have? Joshua Perrymon IANAL, but I believe that the contract isnt formed between buyer and seller until the purchase price is accepted on both sides and money changes hands. The price in a store is analogous to one in a catalog suggested, and subject to change. Typically, that means by the seller, but if the buyer does it and the seller accepts the price, then it is a legal transaction. Once the money is accepted, the seller has agreed to sell at that price, and taken the money, making it difficult for him to suggest that he was unaware. Of course, what typically happens is that the seller goes to ship the item, and sees how much was paid, and sends a bill for the remaining balance before the item is shipped. Proof isnt really needed. Tom ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting an online store
On Thu, 15 Sep 2005 03:29:25 +0200, Gadi Evron said: Check the date of the article. That company no longer exists and SQL injections are not THAT big of an issue for established eCommerce sites as they were in 1999. Which is exactly why the previous posting on the list was an SQL injection in Oracle Reports. I see.. :) pgpLOKHS65AAc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploiting an online store
I know that bad programming habits exist on some of the sites out there and still use Hidden fields to pass prices over.. Although not very commonI found one this morning after sending the email... My question is more on the theory I suppose... What laws are out there to protect against this after-the-fact? Is it true that if the seller closes the deal by sending you the merchandise then they have no case and can't go back and charge you? Seems there should be something out there providing protection is the system is automated... Even though there should be checks in place people do have small budgets and rush a lot of the smaller E-com stores out. JP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 9/14/2005 7:35 PM To: Gadi Evron Cc: Josh Perrymon; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Exploiting an online store ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Exploiting an online store
I would have thought that obtaining value by deception is just simple fraud. The detection of the incident and prosecution of the guilty is usually more challenging than committing the offence, I understand. Lyal I know that bad programming habits exist on some of the sites out there and still use Hidden fields to pass prices over.. Although not very common I found one this morning after sending the email... My question is more on the theory I suppose... What laws are out there to protect against this after-the-fact? Is it true that if the seller closes the deal by sending you the merchandise then they have no case and can't go back and charge you? Seems there should be something out there providing protection is the system is automated... Even though there should be checks in place people do have small budgets and rush a lot of the smaller E-com stores out. JP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 9/14/2005 7:35 PM To: Gadi Evron Cc: Josh Perrymon; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Exploiting an online store -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
