I didn’t want to try something risky, but I noticed at least two suspicious things. By that I mean there could be some open opportunities for hacking:

1)  ”http://www.paypal.com/en/cgi-bin/webscr?cmd=_logout” – it you go to this url while logged in, your session is terminated.

Possible exploit: you can create a repeating (hidden) script (maybe on some webpage) – so that the user will believe he/she cannot login at all.

2) I am able to send money and create accounts for emails starting with “%”

Example “%john@testxcvdf.com” (You can check it for yourself – Password is “!QAZ2wsx”)

Possible exploit: the fact the char is not validated, might be considered a weak spot for hackers, by trying different alternatives.

Even if both issues are not exactly a problem, it shows that they didn’t do some type of needed testing.

(I am going to send this to their support)

Edit: Ok, I got a simple script as example for the logout issue

Steps:

1) Open this url http://www.testalways.com/exploits/1.html (reloads an iframe with the link)

2) In another tab/window of the same browser login into the Paypal account (you can create one just to test it – you don’t have to enter any private data)

Behavior:  User is disconnected quite fast without realizing what is going on

Conclusion: The value of a bug might depend on possible exploits.

This is an example of a behavior that is known, but maybe not much thinking was done in relation to security.

Another thing is the usage of same libraries for developing web applications. These bugs are identical to issues I found for a previous client.

I want to recommend this tool http://code.google.com/p/knull-shell/downloads/detail?name=knull-shellv1-beta.php for testing security issues.

With it I was able to hack into one of my client’s web server (literally the server that hosted the web application) and was able to create folders and  delete files.

The script can be used for hacking a web application in places where you can upload images or any other files.

Example of a scenario:

1) Check if the web app has a section to upload an image (usually user profile)

2)Use an image with a specific name that you can recognize and upload it

3) Check after upload and storage where is the image now located (check if the name is intact ; check if the size is the same )

4) If the image is stored with the same name or is not altered, you can try uploading the knull-shell script and the check the url

5) if the url of the stored file ends in …/some_location/knull-shellv1-beta.php and permissions are set badly, you can try to execute that script by opening that url

6) If you are successful you should have something like this:

Username: root

Password  :toor

and you should have something like this

Now you can try to see how far you can go!

Although I am not very interested in New Year’s Eve and passing in a new year from the protocol perspective, I think its a good time to point out some general directions.

I believe overall the past year was very good in relation to my testing experience.

The details are important, but can change, that’s why I tent to set general goals (it also gives more options to use as a solution):

• Find suitable ways to keep being known in the testing field. This is important especially in finding new clients. But not only there:(also) government paperwork, renting/buying a house, dealing with a bank, unblocking quickly the Paypal account , general trust in many situations…
• Deal with the particular problems that might appear while trying to raise a reputation: more responsibility, accepting constructive criticism, detect and reply properly to nonconstructive criticism
• Continue learning about testing. The more I learn, the more I think I know less. But its still a good feeling
• Do the best job I can do with the clients, so I can bring value to them
• Do the best job I can do  at the conferences I was invited this year
• Solve anything that might come on the way