Hi,
The Audit tea got back with an issue saying that the site was vulnerable: And are offering a solution for it.
Solution
Instead of using hidden form fields, the application's designer can use one session token to reference properties that are stored in the server-side cache. When an application needs to check a user property, it checks the session cookie with its session table and points to the user's data variables in the cache/database.
Implement strong session management and log the user out if the parameters are tampered at any time.
Can this be implemented in the code? Or is this because I have set up a rule to carry out express cheout?
Thanks
Jaya
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | commerce_hdfc-fixes-20142511-1.patch | 45.76 KB | Binu Varghese |
Comments
Comment #1
Binu Varghese commentedAttached patch fixes the latest HDFC security audit issues.
Cheers!