OWASP Security Misconfiguration Example from PayPal.com

The article represents some of the examples of OWASP security misconfiguration vulnerabilities that I could figure out by spending sometime on the Paypal.com website. The article is just an educational one and is not written with any other intention. If you are from Paypal reading this, please get it right.

1. Accessing PayPalObjects.com with URL, https://www.paypalobjects.com/ displays the fact that it is hosted on Apache Server. Take a look at the picture below. It looks like paypalobjects.com server hosts static resources such as CSS, JS and images file as I could figure out several of such resources link with base URL as paypalobjects.com.

   fig: paypalobjects security misconfiguration example

2. Password Recovery Module seems to be using Spring Webflow framework.  The way I figured out about Spring webflow framework is the text “execution=e1s1”. As I have worked with Spring Webflow in the past and found this being used with many a password recovery modules, it was easy for me to guess about the framework. Spring Web Flow builds on Spring MVC and allows implementing the “flows” of a web application. A flow encapsulates a sequence of steps that guide a user through the execution of some business task. It spans multiple HTTP requests, has state, deals with transactional data, is reusable, and may be dynamic and long-running in nature. “execution=e1s1” refers to the flow execution number(e1) and step in that execution(s1). Take a look at the picture below:

   fig: password recovery module using Spring Webflow

[adsenseyu1]