OWASP Security Misconfiguration Example from PayPal.com

The article represents some of the examples of OWASP security misconfiguration vulnerabilities that I could figure out by spending sometime on the Paypal.com website. The article is just an educational one and is not written with any other intention. If you are from Paypal reading this, please get it right.

  1. Accessing PayPalObjects.com with URL, https://www.paypalobjects.com/ displays the fact that it is hosted on Apache Server. Take a look at the picture below. It looks like paypalobjects.com server hosts static resources such as CSS, JS and images file as I could figure out several of such resources link with base URL as paypalobjects.com.

    paypalobjects security misconfiguration example

    fig: paypalobjects security misconfiguration example

  2. Password Recovery Module seems to be using Spring Webflow framework.  The way I figured out about Spring webflow framework is the text “execution=e1s1”. As I have worked with Spring Webflow in the past and found this being used with many a password recovery modules, it was easy for me to guess about the framework. Spring Web Flow builds on Spring MVC and allows implementing the “flows” of a web application. A flow encapsulates a sequence of steps that guide a user through the execution of some business task. It spans multiple HTTP requests, has state, deals with transactional data, is reusable, and may be dynamic and long-running in nature. “execution=e1s1” refers to the flow execution number(e1) and step in that execution(s1). Take a look at the picture below:

    password recovery module using Spring Webflow

    fig: password recovery module using Spring Webflow


Ajitesh Kumar
Follow me

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. For latest updates and blogs, follow us on Twitter. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking. Check out my other blog, Revive-n-Thrive.com
Posted in Application Security. Tagged with , .

Leave a Reply

Your email address will not be published. Required fields are marked *