[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

From: Nathanael Hoyle <nhoyle@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Date: Tue, 15 Jul 2008 16:20:53 -0400

This is nice work. At the beginning, reading about the problems with using floating point or double values for financial values, I was thinking "yeah, yeah programming 101", and personally I think that the bit about many small transactions which round favorably (i.e. the currency exchange type problem) is also fairly well known. However, I think there is much less awareness of thing such as using "NaN" or "Infinity" in inputs to bypass filters. I know I'll be playing around with the related attacks for a bit to get a feel for them.

Jim Manico wrote:

This is a very interesting article, nice work.
I would recommend you add *exact* versions of the various API's being used.

At the very least, all of your Java samples do indeed check out against Java 1.5_0_16 on Windows.
Have you reported these issues to Sun/Microsoft?

Jim, unless I misunderstand something, none of the issues described in the paper are "vulnerabilities" in the languages (which are the only Sun/Microsoft products mentioned I believe). Instead, behavior of the language which may not be immediately obvious to all programmers writing web applications is discussed. In other words, if you fail to account for the language behavior when interpreting "NaN" as a valid number your application may be vulnerable, but that is not to say that Java is. As such, reporting/embargoes/etc seems not to apply.

-Nathanael

- Jim

Breaking the Bank
(Vulnerabilities in Numeric Processing within Financial Applications)

By Adam Boulton, Stephen De Vries, Kevin O'Reilly, July 15, 2008

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
  - From: Jim Manico

References:
- [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
  - From: Jim Manico

Prev by Date: Re: [WEB SECURITY] Nice little XSS trick
Next by Date: [WEB SECURITY] Oracle Application Server PLSQL injection flaw
Previous by thread: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Next by thread: Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site