Wednesday 13 July 2011

Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities

On the Spring MVC topic, I added a couple more blog posts and video to the O2 developer blog:
I also noticed that using the same autobinding vulnerability, it is possible to change the quantity of the item being purchased to a negative value which has interesting implications on the current purchase and more importantly on the global (to JPetStore) 'item stock quantity' value.

I have not scripted this latest issue, but if you want looking at trying these scripts, why don't you have a go at writing it?