[Owasp-leaders] opinion regarding issue found in major email provider

Tom Brennan tomb at proactiverisk.com
Thu Aug 27 16:21:29 UTC 2015


always a good manual test to check for test credit cards to determine
if the system catches them..  many providers (example Authorize.NET
provide a list of test cards for there merchants and so do the
others..)

The following test credit card numbers will work in the sandbox (and
sometimes in production).

American Express Test Card 370000000000002
Discover Test Card 6011000000000012
JCB 3088000000000017
Diners Club/ Carte Blanche 38000000000006
MasterCard 5424000000000015
Visa Test Card 4007000000027 or 4012888818888"

So when commerce sites display provider trustmarks as example it is
always a added item on manual test to see if we can push it into the
system for processing when things show up at the office its always fun
to send back to the client with a report so make sure they are small
;)

Tom Brennan
ProactiveRISK
+1 888 255 0834 x799
www.proactiverisk.com



On Thu, Aug 27, 2015 at 10:44 AM, johanna curiel curiel
<johanna.curiel at owasp.org> wrote:
>
> That said, if the shipment matetialized, then it would be a different story. Happy shopping!
>
> I think in their system they have this test data which does not react to the 'shipping procedure' and thats the reason why they did not consider it a bug, but I haven't tested other kind of validation issues with credit cards and I just wonder if this could be the case.
>
> In the mean time is fun to shop and fantasize I have an unlimited credit card ;-)
>
> On Thu, Aug 27, 2015 at 10:41 AM, Yolanda Baker <yolybaker at gmail.com> wrote:
>>
>> Hi Joanna,
>>
>> I agree with John, Owen, and Giorgio about the scope or criticality of the bug.
>>
>> That said, if the shipment matetialized, then it would be a different story. Happy shopping!
>>
>> Regards,
>> YolandaBakerUS
>>
>>
>> On Thursday, August 27, 2015, Owen Pendlebury <owen.pendlebury at owasp.org> wrote:
>>>
>>> Hi Joanna,
>>>
>>> Yeah it is generally considered best practice to remove test data before deploying to production.
>>>
>>> I've seen this a few times and have been told that there are business processes in the back-end that will stop it from going through. A bit silly if you ask me, remove test data or spend a long time verifying card numbers.
>>>
>>> Owen Pendlebury
>>> OWASP Ireland-Dublin Chapter Lead
>>> https://www.owasp.org/index.php/Ireland-Dublin
>>>
>>> On 27 August 2015 at 14:47, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>
>>>> Hi all
>>>>
>>>> I woudl like to have your opinion on an issue I found during a bug hunting activity
>>>>
>>>> A major email provider has a their own store for selling branded t-shirts, pen, etc.
>>>>
>>>> I attempted to buy using a test credit card number. I was able to get a confirmation and final transaction with a value of USD2000.
>>>>
>>>> When I reported the issue, they mentioned to me they did not consider this as a vulenrability. I have always understand that deploying to production should not contain test data that attackers could use to bypass the system.
>>>>
>>>> What kind of vulnerability can this be considered if we can consider it a vulnerability?
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>>
>>
>> --
>> Sent from Gmail Mobile
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-- 
WARNING: E-mail transmission cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses. The sender therefore does 
not accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. No employee or 
agent is authorized to conclude any binding agreement on behalf of 
ProactiveRISK with another party by email.



More information about the OWASP-Leaders mailing list