Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

From: silky <michaelslists_at_gmail.com>
Date: Wed, 16 Jul 2008 10:08:03 +1000

On Tue, Jul 15, 2008 at 11:02 PM, Martin O'Neal
<martin.oneal_at_corsaire.com> wrote:
>
> Breaking the Bank
> (Vulnerabilities in Numeric Processing within Financial Applications)
>
> By Adam Boulton, Stephen De Vries, Kevin O'Reilly, July 15, 2008
>
> This paper draws attention to how the use of common programming APIs and
> practices could lead to flaws in the processing of numeric data, which
> could in-turn allow attackers to manipulate the outcome of transactions
> or otherwise interfere with the accuracy of calculations.
>
> It discusses the technical vulnerabilities typically observed in both
> the validation and processing of numeric data that could expose an
> organisation to unmanaged risk. It is intended for a technically
> literate audience involved in developing or testing financial
> applications, and to provide technical insight to those responsible for
> their management.
>
> The vulnerabilities are presented with source code examples, suggestions
> on how to identify the flaws during the testing phases and
> recommendations for mitigating the risk.
>
> http://research.corsaire.com/whitepapers/technical.html

this is fairly stupid.

what financial institutions are using floating point and not decimal
variables to represent their money? very few i'd guess. it hardly
needs to be said that anyone using FP variables to do financial maths
should be shot.

in practice you find that sometimes the numbers aren't even stored in
decimals at all; yet are rounded up and stored as ints.

your last recommendation for c# is wrong. == is fine for numbers. your
test above even proves it! the caching, in java, of numbers is well
known and stupid. and you exaggerate it. it's only when doing
*boxing*, and it should be rare to be doing this; it's not when
comparing the primitive types.

boring research. 

-- 
silky
http://www.themonkeynet.com/
http://lets.coozi.com.au/
-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jul 15 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos