[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

From: Jim Manico <jim@xxxxxxxxxx>
Subject: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Date: Tue, 15 Jul 2008 07:24:46 -1000

This is a very interesting article, nice work.

I would recommend you add *exact* versions of the various API's being used.

At the very least, all of your Java samples do indeed check out against Java 1.5_0_16 on Windows.

Have you reported these issues to Sun/Microsoft?

- Jim

Breaking the Bank
(Vulnerabilities in Numeric Processing within Financial Applications)
By Adam Boulton, Stephen De Vries, Kevin O'Reilly, July 15, 2008
This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could in-turn allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations.

It discusses the technical vulnerabilities typically observed in both the validation and processing of numeric data that could expose an organisation to unmanaged risk. It is intended for a technically literate audience involved in developing or testing financial applications, and to provide technical insight to those responsible for their management.
The vulnerabilities are presented with source code examples, suggestions
on how to identify the flaws during the testing phases and
recommendations for mitigating the risk.
http://research.corsaire.com/whitepapers/technical.html
_______________________________________________ Webappsec mailing list Webappsec@xxxxxxxxxxxxxxx https://lists.owasp.org/mailman/listinfo/webappsec

--
Jim Manico, Senior Application Security Engineer
jim.manico@xxxxxxxxxxxxxxxxxx | jim@xxxxxxxxxx
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security™
Securing your applications at the source
http://www.aspectsecurity.com


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
  - From: Nathanael Hoyle
- [WEB SECURITY] RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
  - From: Martin O'Neal

Prev by Date: Re: [WEB SECURITY] Nice little XSS trick
Next by Date: Re: [WEB SECURITY] Nice little XSS trick
Previous by thread: [WEB SECURITY] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Next by thread: Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site