2601_wsdl

debug data accessible, which exposes the API Key

append debug as query paremeter to credit card buy action: https://glocken.hacking-lab.com/12001/axis_case0/axis0/controller?action=payByCreditCard&debug
extract API key (customerID) and web service endpoint from debug data (see 2601_1.png)

access ws endpoint -> Axis web server
access wsdl information by appending ?wsdl to the web service endpoint: http://192.168.200.203:50080/creditcompany/services/Payment?wsdl
access the web service with eclipse web service explorer
list transactions via the endpoint (see 2601_2.png)

show transaction with the credit card information via the endpoint (see 2601_3.png)

some found credit cards
- 2323-4545-6767-8989
- 2322-4545-6767-8945

never publish debug data!
from KKAG perspective: do not expose complete credit card numbers
from KKAG perspective: do not expose credit card numbers at all
- the customer enters the credit card number in the web shop, so the web shop has all means to persist the number, if it wants to show it to the user (only in parts - last 3 digits -, to minimize vulnerabilities)

additional questions:

Before releasing the payment a credit card number is shown. What do you think about that?
- the complete number should never be shown, but the last 3 digits would be nice to verify what card is used (as the customer)
Are you clear who is responsible for the vulnerability?
- the shop is responsible as it is exposing its "API Key" (the customerID) with the publicly accessible debug mode