Re: [WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

[Bil Corry <bil@xxxxxxxxx>]

Martin O'Neal wrote on 7/16/2008 4:53 AM: 
> We regularly assess financial applications that have been given a
> clean bill of health by other security consultancies, and we find
> that whilst there may be no traditional XSS or SQL issues present
> (actually though, they often miss some of these too :) the
> application will still suffer from logic or implementation issues
> that allow you to make effectively make money from manipulating
> currency values.

Definitely need to consider logic/implementation issues, this story is a good example:

	Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'
	<http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html>


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA