Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Insufficient validation of sides/modifiers quantity

Medium
U
Upserve
Submitted None

Team Summary

Official summary from Upserve

An order could be modified to include more sides/modifiers than was permitted due to a lack of server-side validation.

Actions:
View on HackerOne
Reported by liquid8

Vulnerability Details

Technical details and impact analysis

Business Logic Errors
**Summary:** The Upserve Online Ordering (OLO) application does not properly verify on the server side the number of sides/modifiers that have been added **Description:** Certain items allow for selection of a limited number of sides/modifiers, and the application restricts the number of sides/modifies that can be selected on the client side through javascript, but does not validate the request on the server side for the number of sides/modifiers. By intercepting and modifying the traffic when the order request is sent, an attacker will be able to place an order with more than the allowed number of sides/modifiers. **Steps To Reproduce:** The issue can be demonstrated using the test store https://app.upserve.com/s/upserve-lounge-test-providence-2 and the menu item "Char Boil Trou". 1) Select the "Char Boil Trou" option and add it to the cart. Note that only 1 side can be added (exceed-max-sides-1.png) 2) Checkout and submit the order 3) Intercept the request and add additional sides in the JSON request. In this example 3 sides are added instead of the maximum of 1 by changing the "sides" JSON parameter to (exceed-max-sides-3.png): ```"sides":[{"id":"aa79b4fe-d8be-40d8-8693-21fd5b94ef50","name":"Brussel Sprouts","price":0,"side_id":"1cbde3ee-0f16-4938-8139-3b5af5781c4c","price_cents":0,"tax_rate_id":"40eb334a-300c-4b02-8d70-54b199d1c197","tax_rate":{"id":"40eb334a-300c-4b02-8d70-54b199d1c197","name":"Sales Tax","percentage_rate":"0.1"}},{"id":"1074ac11-2c37-48d1-b4dd-13d8deaf183f","name":"Asparagus","price":0,"side_id":"573ff30a-1dd4-44be-9179-d4c81c088963","price_cents":0,"tax_rate_id":"40eb334a-300c-4b02-8d70-54b199d1c197","tax_rate":{"id":"40eb334a-300c-4b02-8d70-54b199d1c197","name":"Sales Tax","percentage_rate":"0.1"}},{"id":"d3f0aebe-e71b-4f6a-9f57-a449dd518422","name":"Mashed Potatoes","price":0,"side_id":"32b8f396-e779-4252-86cb-e0a8f41745dc","price_cents":0,"tax_rate_id":"40eb334a-300c-4b02-8d70-54b199d1c197","tax_rate":{"id":"40eb334a-300c-4b02-8d70-54b199d1c197","name":"Sales Tax","percentage_rate":"0.1"}}]``` 4) The request is accepted by the application (exceed-max-sides-2.png) 5) Viewing the submitted order in the users profile shows that the order was made with 3 sides (exceed-max-sides-4.png) ## Impact A malicious user will be able to add additional sides/modifiers beyond the maximum number allowed, which the restaurant might include if the discrepancy is not noticed, which would result in monetary loss to the restaurant.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$500.00

Submitted

Weakness

Business Logic Errors