[Owasp-leaders] opinion regarding issue found in major email provider

John Patrick Lita john.patrick.lita at owasp.org
Thu Aug 27 14:09:26 UTC 2015


it means it doesn't validate if the card is Valid or not, it means this
vulnerability can be considered as   Authentication and Session Management.

On Thu, Aug 27, 2015 at 6:57 AM, Daniel Harvey <daniel.harvey at owasp.org>
wrote:

> How about cwe-489
> On Aug 27, 2015 9:49 AM, "johanna curiel curiel" <johanna.curiel at owasp.org>
> wrote:
>
>> Hi all
>>
>> I woudl like to have your opinion on an issue I found during a bug
>> hunting activity
>>
>> A major email provider has a their own store for selling branded
>> t-shirts, pen, etc.
>>
>> I attempted to buy using a test credit card number. I was able to get a
>> confirmation and final transaction with a value of USD2000.
>>
>> When I reported the issue, they mentioned to me they did not consider
>> this as a vulenrability. I have always understand that deploying to
>> production should not contain test data that attackers could use to bypass
>> the system.
>>
>> What kind of vulnerability can this be considered if we can consider it a
>> vulnerability?
>>
>> regards
>>
>> Johanna
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Best Regrads
John Patrick Lita
*Chapter Leader OWASP Manila*
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
https://www.owasp.org/index.php/Manila
<https://lists.owasp.org/mailman/listinfo/owasp-manila>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/9319353a/attachment.html>


More information about the OWASP-Leaders mailing list