How can I add the data to shopping cart?

New shopping cart on Headsets.com - need last-minute testing

• We are going to go live with a new shopping cart in the near future, but before we do we'd like to get someone to help us find some last-minute bugs. More specifically, we?d like a power user to go through our cart and help us find erroneous input that breaks the cart. NOTE: We are not looking for you to run a data exploit. We only want to know what type of input can either cause the system to break or cause security holes. Of course if you are able to find other non-input related bugs, please let us know about those as well. Note: Please do not use AOL (as we've already identified a few bugs using AOL). HOW TO DO IT: ------------------------------- Go to http://headsets.com/cart/pages. You will have to order products starting from this page (or you will end up on our old shopping cart). Just to make things interesting, if you use the special offer code ?TESTONE? you can get $25 off any purchase over $60. For a credit card, you can temporarily use a VISA with four ones as the credit card number. WHAT WE?RE LOOKING FOR: ------------------------------ A good bug would look something like: BUG: If you enter all null bytes into the name field, you get blank page HOW TO REPLICATE ? Add 3 products to your cart, go to the shipping page and enter all null bytes into the name field. Press the submit button twice. I?m not looking for suggestions on user interface or usability, so unless they are absolutely crucial, I will probably ignore them. I will pay very close attention to bugs that break the cart. TIPPING ----------------------------- If you are able to find, replicate, and communicate input bugs that either cause the system to break or expose security holes, I?ll tip an extra $50. If GoogleAnswers won?t let me tip that much, I?ll find another way to pay you. Again, if you find a security hole, please don?t run any data exploits. Thanks in advance!

• Answer:

  Dear Headsetswebmaster: Things look pretty clean but there are a few vagaries, as you'll see below. Steps taken: 1. To the web page with IE 6.0.2800: http://headsets.com/cart/pages/ 2. To the Aria page, click order button: http://headsets.com/cart/pages/aria/description.html?newSID=4308d8624d2af0ae0229ed6e8dd7c83f BUG: blank page returned on first attempt (it should have returned an error message -- I didn't specify quantity) 3. Returned to Aria page, 1 Executive model ordered; TESTONE special offer entered, address entered: POSSIBLE HOLE: Address page doesn't verify zip code vs. city/state; nor does it allow zip +4 (I realize that shipping may handle these issues offline.) 4. On to the credit card page -- the $25 off is correctly registered. Ordering processing seems normal. ---- Now lets go back to see what information, if any, has been retained by the shopping cart. 5. Back to the web page -- nothing in cart: http://headsets.com/cart/pages/ 6. Go to the following page and try to confuse the order entry with irrelevant quantities (B, O3, 03). It's not fooled. Add the promotional code. http://headsets.com/cart/addcart.html 7. Goes to Address Page: https://www.headsets.com/cart/shipping.html? 8. Go back with browser command -- get a "Warning: Page has Expired" message. Go back with browser command again and get the Cart page; re-enter the order: http://headsets.com/cart/addcart.html 9. Goes to Address Page and all previous information was retained: https://www.headsets.com/cart/shipping.html? POSSIBLE HOLE: data is not being cleared from entry pages; some transaction sites are religious about making you re-key everything. Annoying when you make a small error but security protection for those who might be entering personal information on a library computer or an open workspace at work. 10. To the billing page: Promotional code correctly entered. Let's see next if we leave valuable credit card data when we use "Back" from this page? It does not: https://www.headsets.com/cart/billing.html? POSSIBLE HOLE: No red flags obvious when name is different from credit card. 11. Use "Back" button to get back to the shopping cart page. Add the Plantronics CS50; cart already has 3 of the noise-reduction Arias in it. Delete those. Use "Back" button to get to home page. Add Plantronics Personal Call Recorder and Logger. Enter promotional code. Process order. 12. On to the following page: name/address/contact information retained: https://www.headsets.com/cart/shipping.html? 13. On to billing page: no data present, which is obviously good. Discount for promotion is correct: https://www.headsets.com/cart/billing.html? 14. Order seemingly entered correctly. 15. What happens if I try pasting https://www.headsets.com/cart/billing.html directly into the browser? It has the order information but no credit card data. 16. What happens if I try pasting https://headsets.com/cart/shipping.html into a browser window? All name/address/contact information retained. --- Let's try a different browser now: Opera 7.54 with Java: 1. Paste in shipping and billing HTML addresses directly. Result: "Shopping cart is empty." No data retained. 2. Paste in top-level page: http://headsets.com/cart/pages/ 3. Order a Plantronics CS50, with promotional code. Enter billing information -- order enters properly. "Back" button reveals name/address/contact button on Shipping page. 4. Enter an out-of-date credit card code (June, 2004): Result: kicks out the old credit card code. So I'll try again with July. It rejects it. It also rejects August (isn't the card supposed to be good until the end of the month?) September goes through. 5. Use the back button from the Confirmation page to see if data is retained: Result: Opera retains the data from the Confirmation page in its entirely -- all credit card information is there. POTENTIAL BUG: IE is returning what you probably intended -- a "Page Expired" message when "Back" button is used. A second use of "Back" returns a blank page. This version of the Opera browser retains all Billing data with a "Back" button. NOTE: I went back to IE and placed a second order. This time billing information was retained on the page -- unlike the first tests above. --- NOTE: Entering my CN customer number in the search function on the test cart page brings up a shopping cart with 2 items in it and goes through the OLD shopping cart. NOTE: I tried on 2 different computers to use the "Back" buttons to get back to http://headsets.co/cart/pages after placing something in the cart. Once there, I clicked on "View Cart": * On one computer it returned an EMPTY cart -- and puts me into the "Old" Shopping Cart pages. * On the second computer the cart had the item ordered -- and put me into the "Old" Shopping Cart pages. --- It appears from having looked at the Headsets.com website in its current and proposed version that you intended to separate Shipping and Billing pages, likely for security purposes. The new design is serving you well in Internet Explorer, but may not be accomplishing your goals in other browsers. The obvious recommended strategy would be to broaden the browsers used, including a text browser such as Lynx. (see Google webmaster guidelines): Google "Webmaster Guidelines," (2004) ://www.google.com/webmasters/guidelines.html Oh -- and make sure that those orders don't get processed. I got 5 confirmations in my e-mail already! And let me know if there are additional modes that you'd like tested or if you'd like to know browser settings. My standard IE configuration enables cookies. Best regards, Omnivorous-GA