This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AZ 2
From OWASP
Suit: Authorization
Card/Value: 2
Description:
Tim can influence where data is sent or forwarded to.
Technical Note:
Users must not be able to define unauthorised virtual locations/addresses such as:
- Database table names.
- File system paths.
- Alert SMS or email messages.
- URL paths.
All such properties must be defined by the ecommerce application itself, or drawn from a valid list of locations permitted for the user and their role.
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 44 | 4.3 | - | 153 | 8 |
| 15.7 | 10 | |||
| 16.1 | 11 |
