This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AZ 2
From OWASP
Revision as of 14:58, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 2</span>}} File:Cornucopia_-_Ecommerce_Website_AZ_2....")
Suit: Authorization
Card/Value: 2
Description:
Tim can influence where data is sent or forwarded to.
Technical Note:
Users must not be able to define unauthorised virtual locations/addresses such as:
- Database table names.
- File system paths.
- Alert SMS or email messages.
- URL paths.
All such properties must be defined by the ecommerce application itself, or drawn from a valid list of locations permitted for the user and their role.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
44 | 4.3 | - | 153 | 8 |
15.7 | 10 | |||
16.1 | 11 |