[Owasp-o2-platform] Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities

dinis cruz dinis.cruz at owasp.org
Wed Jul 13 09:25:09 EDT 2011


On the Spring MVC topic, I added a couple more blog posts and video to the
O2 developer blog:

   -
   http://o2platform.wordpress.com/2011/07/13/viewing-jpetstore-hsqldb-database-and-couple-more-autobinding-issues/
   -
   http://o2platform.wordpress.com/2011/07/13/writing-an-o2-ie-automation-script-for-jpetstore-account-creation/with
supporting YouTube video
   http://www.youtube.com/watch?v=J4Ojqzb6qsw
   -
   http://o2platform.wordpress.com/2011/07/13/injecting-firebuglite-and-jquery-into-a-ie-automation-page-jpetstore-example/
   -
   http://o2platform.wordpress.com/2011/07/13/creating-an-api-for-jpetstore-browser-auto/

I also noticed that using the same autobinding vulnerability, it is possible
to change the quantity of the item being purchased to a *negative *value
which has interesting implications on the current purchase and more
importantly on the global (to JPetStore) 'item stock quantity' value.

I have not scripted this latest issue, but if you want looking at trying
these scripts, why don't you have a go at writing it?

:)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110713/0d46b828/attachment.html 


More information about the Owasp-o2-platform mailing list