Categories: Application Security

OWASP Security Misconfiguration Example from PayPal.com

The article represents some of the examples of OWASP security misconfiguration vulnerabilities that I could figure out by spending sometime on the Paypal.com website. The article is just an educational one and is not written with any other intention. If you are from Paypal reading this, please get it right.

  1. Accessing PayPalObjects.com with URL, https://www.paypalobjects.com/ displays the fact that it is hosted on Apache Server. Take a look at the picture below. It looks like paypalobjects.com server hosts static resources such as CSS, JS and images file as I could figure out several of such resources link with base URL as paypalobjects.com.

    fig: paypalobjects security misconfiguration example

  2. Password Recovery Module seems to be using Spring Webflow framework.  The way I figured out about Spring webflow framework is the text “execution=e1s1”. As I have worked with Spring Webflow in the past and found this being used with many a password recovery modules, it was easy for me to guess about the framework. Spring Web Flow builds on Spring MVC and allows implementing the “flows” of a web application. A flow encapsulates a sequence of steps that guide a user through the execution of some business task. It spans multiple HTTP requests, has state, deals with transactional data, is reusable, and may be dynamic and long-running in nature. “execution=e1s1” refers to the flow execution number(e1) and step in that execution(s1). Take a look at the picture below:

    fig: password recovery module using Spring Webflow

[adsenseyu1]

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Share
Published by
Ajitesh Kumar

Recent Posts

Large Language Models (LLMs): Four Critical Modeling Stages

Large language models (LLMs) have fundamentally transformed our digital landscape, powering everything from chatbots and…

2 months ago

Agentic Workflow Design Patterns Explained with Examples

As Large Language Models (LLMs) evolve into autonomous agents, understanding agentic workflow design patterns has…

2 months ago

What is Data Strategy?

In today's data-driven business landscape, organizations are constantly seeking ways to harness the power of…

2 months ago

Mathematics Topics for Machine Learning Beginners

In this blog, you would get to know the essential mathematical topics you need to…

3 months ago

Questions to Ask When Thinking Like a Product Leader

This blog represents a list of questions you can ask when thinking like a product…

3 months ago

Three Approaches to Creating AI Agents: Code Examples

AI agents are autonomous systems combining three core components: a reasoning engine (powered by LLM),…

3 months ago