Sears.com Vulnerability Reinforces Need for Manual Testing
A new vulnerability was recently found on the Sears.com website allowing external users to automate the validation process of potential gift card numbers and the associated PIN. With this kind of automated testing it is possible to brute force your way through identifying valid gift card numbers by determining which ones are not valid. Given that there really is not a lot of other controls around using gift cards this method is an easy way to collect gift card numbers for fraudulent online purchases.
The vulnerability was identified by an independent researcher who noted that the normal validation process solely relied on client side cookies to limit validation process attempts. By scripting an automated process directly to the server, bypassing the client side cookies, they were able to automate the validation process very quickly with no other limitations in place.
This is obviously a poor coding practice on many levels, but more importantly I believe it really validates the need for true manual penetration testing. In essence this boiled down to a logic flaw in how the process was implemented, which is not something that would necessarily be picked up by an automated application scanner. Clear Skies’ has always believed that the best assessment approach is to rely on a mixture of automated tools and manual testing by an experienced assessor (see prior post on SlideShow Pro as an example). This finding is yet another great real world example of why we strongly encourage clients to not just do the minimum when it comes to testing their applications, especially when there is significant amounts of home-grown code involved. And lastly, given that the Sears.com site appears to have been PCI certified, it further validates that being compliant (i.e the minimum) does not equate to being secure.
More information on the vulnerability can be found at these links:
