Talk:Testing for business logic (OWASP-BL-001)

From OWASP
Jump to: navigation, search

Description of Issues - Example 2

There something missing in Example 2. You've jumped from altering preferences to taking ownership of accounts.

I can understand that if I was editing preferences and sent userid 818 I'd alter the preferences of another company's user but how would ownership of that account change? Rick.mitchell 08:42, 25 June 2008 (EDT)

I see your assumption but the application was so flawed that when you updated a users account and changed the users id it didn't change the other users preferences but assign that id to your companies account. There is a session token that is used so if this is unchanged and the userid is changed when the account is updated then the application will assign it to your company (ie the flawed logic). I will try to make this more clear in the example.