setUsername & setTotalPrice seem to be an issue. setUsername might not be as bad, since the person still has to pay for everything, so who cares if accountability is not perfect. I guess you could try to play games and buy potentially embarrassing items and associate it to a different user account. If the code used the username to say, pull up credit card information, then this would be more severe.
setTotalPrice again is a nice customer-focused shopping feature 🙂
I found that when you can control the username (or userId) and lot of exploits are possible. Sometimes one can use the saved credit card info to buy on behalf of that user , or other times have access to the user’s past history (see the other vuln that exists in JPetClinic on the user admin page)
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)