This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Cornucopia - Ecommerce Website - W Joker B

Revision as of 15:35, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#fbbb7b;">Cornucopia - Ecommerce Website - WC J</span>}} File:Cornucopia_-_Ecommerce_Website_W_Jok...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website W Joker B.png

Suit: Wild Card

Card/Value: Joker


Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.

Technical Note:

Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. Some examples are:

  • An undocumented installed component has a vulnerability announced.
  • The server hosting the ecommerce application makes an unapproved connection to another system.
  • The fully outsourced payment form template is modified to include code from the merchant's server.
  • Personal data relating to an individual is used for a purpose the individual has not consented to.
  • An unauthorised change to configuration data such that some component/service is no longer configured adequately.
  • Unapproved/insecure services/applications are installed/enabled.
  • The terms of service, or privacy statement, are modified without approval.
  • Personal data is inadvertently mixed with business contact data.
  • A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.


  • What could change that affects compliance?
  • How will the application detect this?
  • What is the incident response process for these?


Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.

« Previous Card | Wild Card | Next Card »