Recently I wanted to buy a beanbag for home and I just googled for the shops in Sri Lanka to buy one. Out of the search results, the very first one was beanbag.lk which seemed to be selling beanbags. The website provides online ordering facility as well which is convenient for the buyers.
For placing an order, we need to fill a form with basic information like name, email, telephone number etc. Before filling the form, I just checked if the web page is served via HTTPS, just to make sure the data I enter in the form don’t get leaked down the lane. The web page was not being served via HTTPS and also I noticed that there were two query parameters ‘size’ and ‘bb’ in the URL where the same values of them were visible on the web page.
So, I just thought of doing some basic security testing on the website to find the quality of the website in terms of security.
I sent the following email to the address I found in the contact us page of beanbag.lk website. This was on 2nd of January 2017.
Then I forgot the story as well and also did not get any reply from BeanBag.LK company. After 1 month, I sent a reminder to them mentioning that I was planning to write this in my blog.
I noticed that they were active on Facebook, so I sent a facebook message to them regarding this issue, and the replied back.
Then the BeanBag.LK team had forwarded my email to the developers of the website which is an external company that develops websites. From them, I got the following email where they requested me to provide the information on the vulnerability.
So I created a detailed security report to inform them about the vulnerability, the root cause for this and steps for fixing the issue. (You can find the report here ). I sent them the following email and shared the report with them.
Then I received the following email from the development company of the website where they claimed that the issues I reported were negative. According to their response, the website is not vulnerable because there is no database used. I reported Cross Site Scripting vulnerabilities but this seems they they had misunderstood it with SQL Injection.
So I prepared another document giving an example on how an attacker can use the BeanBag.LK website’s good name for achieving his malicious desires. (You can find the document here )
A basic example is displaying some message in the website that is not good for the business. This could be easily done with a URL like http://beanbag.lk/order.php?size=Bean Bags&bb=We no longer sell
Another example is stealing some email addresses by an attacker which can simply done through a URL like below.
http://beanbag.lk/order.php?size=large&bb=Win a free bean bag worth 20,000 ruppees by referring 3 friends of you ! <br><br>Friend1 Email <input type="text" id="email1"/><br>Friend2 Email <input type="text" id="email1"/><br>Friend3 Email <input type="text" id="email1"/><br><input type="submit" value="Send"/><!--
The attacker can shorten the URL and share publicly to attract the victims.
Then I sent them the following emails asking them to do their research before declining my claims.
To prove my claims, I just ran the OWASP ZAP tool against the order.php page of beanbag.lk website and within couple of minutes, it generated the vulnerability report that contained the XSS vulnerability listed as a high critical issue.
Although the development company had mentioned in their response that they do run necessary security tests before putting a website live, this proves that it is not the case. I doubt if they have a security team within the company. If they have, then the skill set and the tools they use are totally useless in my opinion.
I sent them the following email attaching the OWASP ZAP report.
This is the response I got from them were they were still denying my claims just to protect their company name.
Further, in the response he mentions that through the URL http://beanbag.lk/order.php?size=Bean Bags&bb=We no longer sell , attackers cannot inject values as it gives error.
So when I tested after their response, it was giving an error. So clearly it seems they did a fix to prevent injections through query parameters.
Simply they have whitelisted the values for query parameters. Now it only accepts a predefined set of values for the query parameters and if we inject any other value, it would simply display a message as ‘Error’.
I ran the OWASP ZAP tool again for the order.php website and I could see that the XSS issue is no longer there. (you can see the generated report here)
I did not want to continue contacting these guys as clearly they are unethical and unprofessional. So I sent them the following response and stopped chasing on this. As the issue is fixed on the website anyway, there is no point of continuing the thread and wasting time.
If you are a developer and reading this article, you need to understand that it is totally OK to do mistakes and when someone reports, you need to accept it and get your mistakes corrected.
If you are from an organization where your website is developed by an external outsourced web development company, you need to make sure that they are qualified enough to do the job. Otherwise although you are paying them, they are putting the good name of your business and the loyal customers who view your website in danger.
By writing this article, I have no intention on doing any damage to the beanbag.lk business or the web development company responsible for this issue. I am just sharing my experience as an independent security researcher who works towards making the cyber space a secure place for everybody.
Tharindu Edirisinghe (a.k.a thariyarox)
Independent Security Researcher
Author of http://securityinternal.com