[Owasp-leaders] opinion regarding issue found in major email provider

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 27 14:21:35 UTC 2015


And the order confirmation😜. But yes, they did not consider this a
vulnerability 😁😝

[image: Inline image 1]

On Thu, Aug 27, 2015 at 10:18 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Since they do not consider it a vulnerability , feel free to check this
> shop
>
>
> On Thu, Aug 27, 2015 at 10:09 AM, John Patrick Lita <
> john.patrick.lita at owasp.org> wrote:
>
>> it means it doesn't validate if the card is Valid or not, it means this
>> vulnerability can be considered as   Authentication and Session Management.
>>
>> On Thu, Aug 27, 2015 at 6:57 AM, Daniel Harvey <daniel.harvey at owasp.org>
>> wrote:
>>
>>> How about cwe-489
>>> On Aug 27, 2015 9:49 AM, "johanna curiel curiel" <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi all
>>>>
>>>> I woudl like to have your opinion on an issue I found during a bug
>>>> hunting activity
>>>>
>>>> A major email provider has a their own store for selling branded
>>>> t-shirts, pen, etc.
>>>>
>>>> I attempted to buy using a test credit card number. I was able to get a
>>>> confirmation and final transaction with a value of USD2000.
>>>>
>>>> When I reported the issue, they mentioned to me they did not consider
>>>> this as a vulenrability. I have always understand that deploying to
>>>> production should not contain test data that attackers could use to bypass
>>>> the system.
>>>>
>>>> What kind of vulnerability can this be considered if we can consider it
>>>> a vulnerability?
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Best Regrads
>> John Patrick Lita
>> *Chapter Leader OWASP Manila*
>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>> https://www.owasp.org/index.php/Manila
>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/54bd71b6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 150346 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/54bd71b6/attachment-0001.png>


More information about the OWASP-Leaders mailing list