[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Exploiting an online store

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Exploiting an online store
From: "Josh perrymon" <perrymonj@xxxxxxxxxxxxxxxx>
Date: Wed, 14 Sep 2005 15:05:24 -0500

I was reading an article about an attacker that could have changed a
price in an online shopping cart-

 

Snip----

 

Next, Reshef performed a little number he calls ``electronic 
shoplifting'': He edited the site's online order form to reduce the
price 
of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef 
actually could have purchased the book for the reduced price, adding a 
whole new spin to Priceline.com's ``name-your-own-price'' marketing 
campaign. 

Reshef's exploits didn't require any sophisticated software or 
particularly detailed knowledge of computer code. ``The only thing you 
need is an HTML editor that comes bundled with your Netscape or Internet

Explorer browser,'' he said. ``There is no magic to this.'' 

 

What are laws on this??  What if the guy did make the transaction using
his credit card? Since it is just a web transaction sending html from
the client to the server what proof would they have?  

 

 

 

Joshua Perrymon

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Exploiting an online store
  - From: Gadi Evron
- Re: [Full-disclosure] Exploiting an online store
  - From: fd

Prev by Date: RE: [Full-disclosure] Fwd: SF new mailing list announcement: BS 7799Security
Next by Date: RE: [Full-disclosure] Exploiting an online store
Previous by thread: RE: [Full-disclosure] Fwd: SF new mailing list announcement: BS 7799Security
Next by thread: Re: [Full-disclosure] Exploiting an online store
Index(es):
- Date
- Thread