[Owasp-leaders] opinion regarding issue found in major email provider

Owen Pendlebury owen.pendlebury at owasp.org
Thu Aug 27 14:29:46 UTC 2015


Hi Joanna,

Yeah it is generally considered best practice to remove test data before
deploying to production.

I've seen this a few times and have been told that there are business
processes in the back-end that will stop it from going through. A bit silly
if you ask me, remove test data or spend a long time verifying card
numbers.

Owen Pendlebury
OWASP Ireland-Dublin Chapter Lead
https://www.owasp.org/index.php/Ireland-Dublin

On 27 August 2015 at 14:47, johanna curiel curiel <johanna.curiel at owasp.org>
wrote:

> Hi all
>
> I woudl like to have your opinion on an issue I found during a bug hunting
> activity
>
> A major email provider has a their own store for selling branded t-shirts,
> pen, etc.
>
> I attempted to buy using a test credit card number. I was able to get a
> confirmation and final transaction with a value of USD2000.
>
> When I reported the issue, they mentioned to me they did not consider this
> as a vulenrability. I have always understand that deploying to production
> should not contain test data that attackers could use to bypass the system.
>
> What kind of vulnerability can this be considered if we can consider it a
> vulnerability?
>
> regards
>
> Johanna
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/ce2f6f52/attachment.html>


More information about the OWASP-Leaders mailing list