[Owasp-leaders] opinion regarding issue found in major email provider

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 27 14:44:10 UTC 2015


That said, if the shipment matetialized, then it would be a different
story. Happy shopping!

I think in their system they have this test data which does not react to
the 'shipping procedure' and thats the reason why they did not consider it
a bug, but I haven't tested other kind of validation issues with credit
cards and I just wonder if this could be the case.

In the mean time is fun to shop and fantasize I have an unlimited credit
card ;-)

On Thu, Aug 27, 2015 at 10:41 AM, Yolanda Baker <yolybaker at gmail.com> wrote:

> Hi Joanna,
>
> I agree with John, Owen, and Giorgio about the scope or criticality of the
> bug.
>
> That said, if the shipment matetialized, then it would be a different
> story. Happy shopping!
>
> Regards,
> YolandaBakerUS
>
>
> On Thursday, August 27, 2015, Owen Pendlebury <owen.pendlebury at owasp.org>
> wrote:
>
>> Hi Joanna,
>>
>> Yeah it is generally considered best practice to remove test data before
>> deploying to production.
>>
>> I've seen this a few times and have been told that there are business
>> processes in the back-end that will stop it from going through. A bit silly
>> if you ask me, remove test data or spend a long time verifying card
>> numbers.
>>
>> Owen Pendlebury
>> OWASP Ireland-Dublin Chapter Lead
>> https://www.owasp.org/index.php/Ireland-Dublin
>>
>> On 27 August 2015 at 14:47, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi all
>>>
>>> I woudl like to have your opinion on an issue I found during a bug
>>> hunting activity
>>>
>>> A major email provider has a their own store for selling branded
>>> t-shirts, pen, etc.
>>>
>>> I attempted to buy using a test credit card number. I was able to get a
>>> confirmation and final transaction with a value of USD2000.
>>>
>>> When I reported the issue, they mentioned to me they did not consider
>>> this as a vulenrability. I have always understand that deploying to
>>> production should not contain test data that attackers could use to bypass
>>> the system.
>>>
>>> What kind of vulnerability can this be considered if we can consider it
>>> a vulnerability?
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
> --
> Sent from Gmail Mobile
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/bb41462a/attachment-0001.html>


More information about the OWASP-Leaders mailing list