Level 122
How do you know they have written to session? It would be their session how do you see it?
2 likes
Jan 21, 2024
11
Level 1
Session vulnerability Security
Hi
Text below is from hacker that Irecieved:
I found Security Vulnerability in your web application. For security purpose can we report vulnerability here,then will i get bounty reward in PayPal or Bitcoin for Security bug ?
I am in struggle with a hacker he inject some sort of data in session cart like:
rowId: 6d7b861f889ade22640579237d2e0846 product_id: 0001 name: Product 1
Ofcourse I am filtering data to NOT be inserted in the DB to prevent not having a product that is not in the products table but he/she is causing me trouble and has asked to receive bitcoin!! recently
The package is "mindscms/laravelshoppingcart": "^2.1",
I have SSL (https) on site and put .env file before public_thml folder and NOT placed in public access (a folder before) public_thm and config/session.php as below:
'driver' => env('SESSION_DRIVER', 'file'), // this set to file 'lifetime' => env('SESSION_LIFETIME', 120), // 120 'expire_on_close' => false, 'encrypt' => true, 'files' => storage_path('framework/sessions'), 'lottery' => [2, 100], 'cookie' => env( 'SESSION_COOKIE', Str::slug(env('APP_NAME', 'laravel'), '_').'_session' ),
'path' => '/',
'secure' => env('SESSION_SECURE_COOKIE'), // true 'http_only' => true, 'same_site' => 'lax',
finally set permission storage/framework/session to 755 and of course each session file 644
The method in class to add items to cart is attached.
If my language is not good, I apologize.
Any suggestions are welcome. Thank
The method to add in cart is
public function add(Request $request) {
$r = $request->validate([
'id' => 'required|numeric|exists:products,id',
'color' => 'sometimes|nullable|string',
]);
$p = Product::where('id', $r['id'])->first();
if (!$p) {
return back()->with('warning', 'Access Denied !');
}
Cart::add([
'id' => $p->id,
'name' => $p->name,
'qty' => 1,
'price' => $p->price,
]);
// Here check if the data from csrt/session is in the products table in DB
$rows = '';
foreach (Cart::content() as $row) {
$p = Product::where('id', $row->id)->where('name', $row->name)->first();
if (!$p) {
$rows .= 'rowId: ' . $row->rowId . ' product_id: ' . $row->id . ' name: ' . $row->name . "\r\n";
Storage::append('file.log', $rows);
// remove the item
Cart::remove($r['rowId']);
}
}
return back()->with('success', 'Successfully added to cart.');
}
Level 1
Thanks for your reply.
I log cart record if the product that added to cart is not in the table and I did mention it in the action above
// Here check if the data from csrt/session is in the products table in DB
and I he insert the below in cart rowId: 6d7b861f889ade22640579237d2e0846 product_id: 0001 name: Product 1
even one time that I was test the site suddenly I come across with that forexample I add product with id 3250 to the cart but when I rediredt to the cart display action I saw that I have two item in the cart AND one of them is product_id: 0001 name: Product 1 which i have never in the product table !!!!!!
I quickly take snapshot I can not send the image here !!
how can i send the img here ?!
Level 122
@mohsenphp you absolutely sure this is not a product in your database?
Level 1
@Snapey yes absolutely . yesterday again I had this
in cart that I logged i have:
rowId: c699d1a3b268c3ec047f83dd37ceb367 product_id: 4273 name: زنجیر چرخ کمربندی رنو ساندرو استپ وی برند اصل rowId: 6d7b861f889ade22640579237d2e0846 product_id: 0001 name: Product 1
all my product name is in Farsi to be sure I just check the DB and I do NOT have any product named Product 1
Level 1
@Snapey maybe it has nothings to do with session BUT how about the route !!!
Level 1
sorry if my english is not good
Level 1
I do not know the session is written by the hacker but I have a record in cart that is not in the table maybe he (the hacker) send some http request I don't know !!!
I check route and it is OK and every thing in my opinion is correct
I check the whole cart at the end of add method if the record I mean product_id and product name is not in the table I log the row in to another file then delete the row from cart to tidy up cart to show user who is buying.
Level 14
if you see a product that should not be there, maybe you should check how to create products rather than adding to cart
Level 1
@krisi_gjika Thanks BUT
I check the whole cart at the end of add method if the record I mean product_id and product name is not in the table I log the row in to another file then delete the row from cart to tidy up cart to show user who is buying
Level 14
@mohsenphp and what if on the moment of the check the product does exist in your DB? That's why I say to check the other part of this, the product managment part. Maybe you have a route that can be access by non admins, maybe the have a wrong permission check somewhere, maybe you DB password is not safe, who knows.
Level 1
@krisi_gjika Admin only login with SMS and I am sure 100% any body can not access if it was I think the hacker could do something more dangerous!!
Please or to participate in this conversation.