Full Disclosure mailing list archives
Re: Exploiting an online store
From: fd () ew nsci us
Date: Thu, 15 Sep 2005 12:52:45 -0700 (PDT)
On Wed, 14 Sep 2005, Josh perrymon wrote:
I was reading an article about an attacker that could have changed a price in an online shopping cart- Snip---- Next, Reshef performed a little number he calls ``electronic shoplifting'': He edited the site's online order form to reduce the price of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef actually could have purchased the book for the reduced price, adding a whole new spin to Priceline.com's ``name-your-own-price'' marketing campaign. Reshef's exploits didn't require any sophisticated software or particularly detailed knowledge of computer code. ``The only thing you need is an HTML editor that comes bundled with your Netscape or Internet Explorer browser,'' he said. ``There is no magic to this.'' ---
There is no client side security. Period. Who wrote the shopping cart and allowed posting the price to it?? Wow ... -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting an online store Josh perrymon (Sep 14)
- Re: Exploiting an online store Gadi Evron (Sep 14)
- Re: Exploiting an online store Valdis . Kletnieks (Sep 14)
- Re: Exploiting an online store fd (Sep 15)
- Re: Exploiting an online store Nick FitzGerald (Sep 15)
- <Possible follow-ups>
- RE: Exploiting an online store Thomas Quinlan (Sep 14)
- RE: Exploiting an online store Josh Perrymon (Sep 14)
- RE: Exploiting an online store lyal.collins (Sep 14)
- Re: Exploiting an online store Gadi Evron (Sep 14)