This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Testing for business logic"
m (→Description of Issues - Example 2) |
m (Andrew Muller moved page Talk:Testing for business logic (OWASP-BL-001) to Talk:Testing for business logic over redirect: Testing for business logic is now a chapter heading supported by several test cases rather than being the only test case.) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 4: | Line 4: | ||
I can understand that if I was editing preferences and sent userid 818 I'd alter the preferences of another company's user but how would ownership of that account change? [[User:Rick.mitchell|Rick.mitchell]] 08:42, 25 June 2008 (EDT) | I can understand that if I was editing preferences and sent userid 818 I'd alter the preferences of another company's user but how would ownership of that account change? [[User:Rick.mitchell|Rick.mitchell]] 08:42, 25 June 2008 (EDT) | ||
+ | |||
+ | I see your assumption but the application was so flawed that when you updated a users account and changed the users id it didn't change the other users preferences but assign that id to your companies account. There is a session token that is used so if this is unchanged and the userid is changed when the account is updated then the application will assign it to your company (ie the flawed logic). I will try to make this more clear in the example. |
Latest revision as of 12:29, 5 August 2014
Description of Issues - Example 2
There something missing in Example 2. You've jumped from altering preferences to taking ownership of accounts.
I can understand that if I was editing preferences and sent userid 818 I'd alter the preferences of another company's user but how would ownership of that account change? Rick.mitchell 08:42, 25 June 2008 (EDT)
I see your assumption but the application was so flawed that when you updated a users account and changed the users id it didn't change the other users preferences but assign that id to your companies account. There is a session token that is used so if this is unchanged and the userid is changed when the account is updated then the application will assign it to your company (ie the flawed logic). I will try to make this more clear in the example.