E-commerce Client-side Exploit by Tom Underwood Overview This exploit utilizes hidden fields or field names in forms to manipulate data on the client-side (web browser) and then transmit this altered data to a website. For example, prices could be altered to any amount and then transmitted to the website for purchase. Why is this still a problem? This exploit is well-known among professional developers, and was covered many years ago by the World Wide Web Consortium (W3C). This has also been included in their FAQ since its discovery. This exploit had essentially disappeared. Its reappearance is largely due to the medium that created it. The Internet and WWW protocols made sharing information much easier, but it also allowed inexperienced programmers to release insecure products to the general public. As the Internet audience grew, many new programmers sought to capitalize on the emerging e-commerce industry. An easy way to check your website Browse to the pages on your site and examine the source document by selecting View from the top menu bar, then select Source. The source for the web page that you are currently viewing will appear in a text editor or similar window. Scan through the source document and look for the form input tags. Here are two examples that were found on the Internet when this article was written: <input type="hidden" name="order" value="Propeller Hat----World Famous Propeller Hat----19.99----2----1"> <INPUT TYPE="TEXT" NAME="item-0003|electronics|59.49|Polaroid One Step ($59.49)" SIZE="3" MAXLENGTH="3" VALUE="1"> As you can see in the above examples, price data is stored on the client-side, and is easily editable. While price verification could be performed later, anyone aware of this insecure method would not have utilized it at all. The next step If your site is affected, your next step would be to assess the risk to your operation. If you run a small site and process your orders by hand, you may be able to rely on the assumption that any attempts to exploit your site would be easily noticed. If you believe that this type of abuse might go unnoticed, then you should definitely take action to correct this vulnerability. The big picture The potential risk of this vulnerability is largely affected by chance. Your site may not even attract the attention of a would-be attacker. The larger issue is one of professionalism. Internet businesses should not be put at risk simply because the programmer or developer that they hired is uninformed. If you would like us to determine if this affects your site, simply email us at info@avataris.com