RE: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> As such, I still don't see how 
> it's a "vulnerability" or a "flaw", 
> except in the broad common-language 
> sense that it is not a perfect numeric 
> representation (which could store 
> infinitely large values with 
> infinitely great precision).

Which is actually a large part of the problem.  We regularly assess
financial applications that have been given a clean bill of health by
other security consultancies, and we find that whilst there may be no
traditional XSS or SQL issues present (actually though, they often miss
some of these too :) the application will still suffer from logic or
implementation issues that allow you to make effectively make money from
manipulating currency values.

This kind of flaw is enough to put a bank in breach of their regulatory
obligations in respect to the integrity of transactions.

Martin...



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA