[Owasp-leaders] opinion regarding issue found in major email provider

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 27 14:18:12 UTC 2015


Since they do not consider it a vulnerability , feel free to check this shop


On Thu, Aug 27, 2015 at 10:09 AM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> it means it doesn't validate if the card is Valid or not, it means this
> vulnerability can be considered as   Authentication and Session Management.
>
> On Thu, Aug 27, 2015 at 6:57 AM, Daniel Harvey <daniel.harvey at owasp.org>
> wrote:
>
>> How about cwe-489
>> On Aug 27, 2015 9:49 AM, "johanna curiel curiel" <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi all
>>>
>>> I woudl like to have your opinion on an issue I found during a bug
>>> hunting activity
>>>
>>> A major email provider has a their own store for selling branded
>>> t-shirts, pen, etc.
>>>
>>> I attempted to buy using a test credit card number. I was able to get a
>>> confirmation and final transaction with a value of USD2000.
>>>
>>> When I reported the issue, they mentioned to me they did not consider
>>> this as a vulenrability. I have always understand that deploying to
>>> production should not contain test data that attackers could use to bypass
>>> the system.
>>>
>>> What kind of vulnerability can this be considered if we can consider it
>>> a vulnerability?
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Best Regrads
> John Patrick Lita
> *Chapter Leader OWASP Manila*
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> https://www.owasp.org/index.php/Manila
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/c6882cf5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: invalidcreditcardpassed.jpg
Type: image/jpeg
Size: 143853 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/c6882cf5/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list