1. 21

  2. 5

    Nice post.

    You can learn a lot by poking at apps. I never would have guessed the client was interfacing directly with the payment processor. Only reason I can guess is that Dominoes wants absolutely nothing to do with your CC#.

    1. 3

      The thing I see here is that there is enough information in the client to send a requst that validate credit card numbers. This is called a carding attack (or checker) - https://en.wikipedia.org/wiki/Credit_card_fraud#Checker if it isn’t properly mitigated with rate limiting.

      1. 1

        Almost 10 years ago I noticed that Pizza Hut Australia did price calculation client-side. Was able to specify whatever you wanted to pay!