[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Exploiting an online store
- To: Josh perrymon <perrymonj@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Exploiting an online store
- From: fd@xxxxxxxxxx
- Date: Thu, 15 Sep 2005 12:52:45 -0700 (PDT)
On Wed, 14 Sep 2005, Josh perrymon wrote:
> I was reading an article about an attacker that could have changed a
> price in an online shopping cart-
>
> Snip----
> Next, Reshef performed a little number he calls ``electronic
> shoplifting'': He edited the site's online order form to reduce the
> price
> of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef
> actually could have purchased the book for the reduced price, adding a
> whole new spin to Priceline.com's ``name-your-own-price'' marketing
> campaign.
>
> Reshef's exploits didn't require any sophisticated software or
> particularly detailed knowledge of computer code. ``The only thing you
> need is an HTML editor that comes bundled with your Netscape or Internet
>
> Explorer browser,'' he said. ``There is no magic to this.''
> ---
There is no client side security. Period. Who wrote the shopping cart
and allowed posting the price to it?? Wow ...
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/