Difference between revisions of "Talk:Testing for business logic"

From OWASP
Jump to: navigation, search
m (Andrew Muller moved page Talk:Testing for business logic (OWASP-BL-001) to Talk:Testing for business logic over redirect: Testing for business logic is now a chapter heading supported by several test cases rather than being the only test case.)
 
(No difference)

Latest revision as of 07:29, 5 August 2014

Description of Issues - Example 2

There something missing in Example 2. You've jumped from altering preferences to taking ownership of accounts.

I can understand that if I was editing preferences and sent userid 818 I'd alter the preferences of another company's user but how would ownership of that account change? Rick.mitchell 08:42, 25 June 2008 (EDT)

I see your assumption but the application was so flawed that when you updated a users account and changed the users id it didn't change the other users preferences but assign that id to your companies account. There is a session token that is used so if this is unchanged and the userid is changed when the account is updated then the application will assign it to your company (ie the flawed logic). I will try to make this more clear in the example.