[Owasp-leaders] opinion regarding issue found in major email provider

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 27 14:44:10 UTC 2015

That said, if the shipment matetialized, then it would be a different
story. Happy shopping!

I think in their system they have this test data which does not react to
the 'shipping procedure' and thats the reason why they did not consider it
a bug, but I haven't tested other kind of validation issues with credit
cards and I just wonder if this could be the case.

In the mean time is fun to shop and fantasize I have an unlimited credit
card ;-)

On Thu, Aug 27, 2015 at 10:41 AM, Yolanda Baker <yolybaker at gmail.com> wrote:

> Hi Joanna,
> I agree with John, Owen, and Giorgio about the scope or criticality of the
> bug.
> That said, if the shipment matetialized, then it would be a different
> story. Happy shopping!
> Regards,
> YolandaBakerUS
> On Thursday, August 27, 2015, Owen Pendlebury <owen.pendlebury at owasp.org>
> wrote:
>> Hi Joanna,
>> Yeah it is generally considered best practice to remove test data before
>> deploying to production.
>> I've seen this a few times and have been told that there are business
>> processes in the back-end that will stop it from going through. A bit silly
>> if you ask me, remove test data or spend a long time verifying card
>> numbers.
>> Owen Pendlebury
>> OWASP Ireland-Dublin Chapter Lead
>> https://www.owasp.org/index.php/Ireland-Dublin
>> On 27 August 2015 at 14:47, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> Hi all
>>> I woudl like to have your opinion on an issue I found during a bug
>>> hunting activity
>>> A major email provider has a their own store for selling branded
>>> t-shirts, pen, etc.
>>> I attempted to buy using a test credit card number. I was able to get a
>>> confirmation and final transaction with a value of USD2000.
>>> When I reported the issue, they mentioned to me they did not consider
>>> this as a vulenrability. I have always understand that deploying to
>>> production should not contain test data that attackers could use to bypass
>>> the system.
>>> What kind of vulnerability can this be considered if we can consider it
>>> a vulnerability?
>>> regards
>>> Johanna
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150827/bb41462a/attachment-0001.html>

More information about the OWASP-Leaders mailing list