How can I hide "__OSVSTATE" so that it is not replaced by another in any request? since this, for the case that I see, carries the client's data and fraud can be done.
I replace the "__OSVSTATE" of client1 on client2 and I can make money movement.

Regards,

Hi Rolando,

"I replace the "__OSVSTATE" of client1 on client2 and I can make money movement."

I would not expect to have any payment details in the _OSVSTATE when doing online payments with an online payment gateway.

See some discussion on viewstate.

https://www.outsystems.com/forums/discussion/10458/view-state-in-outsystems-applications/

Btw. Reactive web does not use the concept of viewstate.

Regards,

Daniel

Daniël Kuhlmann wrote:

Hi Rolando,

"I replace the "__OSVSTATE" of client1 on client2 and I can make money movement."

I would not expect to have any payment details in the _OSVSTATE when doing online payments with an online payment gateway.

See some discussion on viewstate.

https://www.outsystems.com/forums/discussion/10458/view-state-in-outsystems-applications/

Btw. Reactive web does not use the concept of viewstate.

Regards,

Daniel

If I enter that topic, but it doesn't answer my question.

I'm a pentester and I work in a telecommunications company, where if I could do fraud through __OSVSTATE, that's why I'm worried that the user's data will be passed through this variable.







Hi,

I would be really interested from you that you were able to create this fraud through _OSVSTATE.

One more question, as you are doing a pentest, you either are able to misuse _OSVSTATE or you are not.

I am not sure if an answer from anybody on the forum, would make a difference.

Lets say, I say it is not possible? Then what? You would still have to prove it to be a right or correct statement. And for that matter is I say you are right? You would not try?

Regards,

Daniel