OWASP O2 Platform Blog

example of spring mvc controllers

here is an example of spring MVC controllers.

Can you spot the vulnerability?

September 15, 2011 - Posted by | JPetStore, Spring MVC


  1. Awesome talk tonight Dinis! I want to build a similar O2 visualizer for a different platform.

    Comment by Tom | September 15, 2011 | Reply

    • Thanks 🙂

      Sure, what platform?

      Comment by Dinis Cruz | September 17, 2011 | Reply

  2. setUnitPrice? Seems like a nice way to buy items.

    Comment by Jon | October 11, 2011 | Reply

    • Yes, that is another vulnerability in there 🙂

      Comment by Dinis Cruz | October 11, 2011 | Reply

  3. setUsername & setTotalPrice seem to be an issue. setUsername might not be as bad, since the person still has to pay for everything, so who cares if accountability is not perfect. I guess you could try to play games and buy potentially embarrassing items and associate it to a different user account. If the code used the username to say, pull up credit card information, then this would be more severe.

    setTotalPrice again is a nice customer-focused shopping feature 🙂

    Comment by Jon | October 11, 2011 | Reply

  4. I found that when you can control the username (or userId) and lot of exploits are possible. Sometimes one can use the saved credit card info to buy on behalf of that user , or other times have access to the user’s past history (see the other vuln that exists in JPetClinic on the user admin page)

    Comment by Dinis Cruz | October 12, 2011 | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: