A flaw in the business logic of the gift card purchasing function on sears.com. The flaw was with the verification functionality which allowed an attacker to script thousands of gift card requests. The function relied on client side cookies to prevent brute force attacks – doh!

Such a flaw would not be uncovered by automated scans or automated code review. So ASVS Level 1A or 1B would not be sufficient!

Human intervention, data flow analysis and business logic review from a security standpoint coupled with manual testing may of uncovered such an issue.

read more on here


Subscribe to comments Comment | Trackback |
Post Tags:

Browse Timeline


Comments ( 1 Comment )

Hola, yo soy deprimida …
Gracias

SuperSonic

SuperSonic added these pithy words on May 21 10 at 2:56 am

Add a Comment


XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


© Copyright 2007 ASG Ireland . Thanks for visiting!