On Wed, 14 Sep 2005, Josh perrymon wrote: > I was reading an article about an attacker that could have changed a > price in an online shopping cart- > > Snip---- > Next, Reshef performed a little number he calls ``electronic > shoplifting'': He edited the site's online order form to reduce the > price > of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef > actually could have purchased the book for the reduced price, adding a > whole new spin to Priceline.com's ``name-your-own-price'' marketing > campaign. > > Reshef's exploits didn't require any sophisticated software or > particularly detailed knowledge of computer code. ``The only thing you > need is an HTML editor that comes bundled with your Netscape or Internet > > Explorer browser,'' he said. ``There is no magic to this.'' > ---
There is no client side security. Period. Who wrote the shopping cart and allowed posting the price to it?? Wow ... -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
