tag:blogger.com,1999:blog-13756280.post1949994703652930580..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Business Logic Flaws, freshly minted White PaperJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-13756280.post-74063314225317637152009-06-16T04:42:20.287-07:002009-06-16T04:42:20.287-07:00I have gradually become the great fan yours and I ...I have gradually become the great fan yours and I wish you good luck for your success.Annuityhttp://www.freeannuityrates.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89575076791796796542007-10-01T11:10:00.000-07:002007-10-01T11:10:00.000-07:00I've seen that quote around as well and I like it....I've seen that quote around as well and I like it. The problem is its hard to know what a piece of software can be made to do.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80044698713615274942007-09-30T23:27:00.000-07:002007-09-30T23:27:00.000-07:00A friend of mine once provided me the following qu...A friend of mine once provided me the following quote:<BR/><BR/>"Testing is making sure the product does what it is supposed to do. Security testing is making sure the product does what it is supposed to do, and nothing else!"<BR/><BR/>He is not quite sure where he picked it up from, but it is one of the few quotes that I can even remember. I haven't read your new paper yet but plan to.chrisclahttps://www.blogger.com/profile/09717902126873313026noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-55330860190354728952007-09-30T10:09:00.000-07:002007-09-30T10:09:00.000-07:00Oh Andrew, by the way, I've been discussing busine...Oh Andrew, by the way, I've been discussing business logic flaws publicly for quite some time:<BR/><BR/>http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1189767,00.html<BR/>http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html<BR/><BR/>Its the other guys you have been conviently ingoring the subject. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46796920735263003382007-09-27T13:59:00.000-07:002007-09-27T13:59:00.000-07:00@vanderaj -- sheesh "from a scanner vendor" :)Who...@vanderaj -- sheesh "from a scanner vendor" :)<BR/><BR/>Who all do you think works over here? We're the ultimate pragmatist crowd....<BR/><BR/>I hear ya' though. Some folks don't wanna touch this subject with a stick b/c they either (a) don't really understand it, or (b) know their automated parsers cannot find this stuff.<BR/><BR/>You can do A LOT of cool things with automation once you get a human eyeball parser involved to add context, and being able to process out of band comms like SMTP helps too. :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15013674403307511432007-09-27T13:28:00.000-07:002007-09-27T13:28:00.000-07:00@Hi Andrew, thank you, glad you liked it. The only...@Hi Andrew, thank you, glad you liked it. The only way my predictions comes true is if they're self-fullfiling. :) As much as anything else, I view my job as helping customers make their websites as hard to break into as possible. If that requires scanning technology great... security experts, fine...WAFs, ok then. I jus think its time to be pragmatic about what we can expect from each technology/process and measure them accordingly.<BR/> <BR/>These business logic flaws though really present a huge and challenging problem. I mean, how and when in the SDLC do we attempt to find them? Some are of course introduced early in the design phase while others only show up during implementation. Plus there is no generic and reasonable approach to identify them (guidance) and we're completely reliant upon clever people to spot them. So as you say its time to start raising the issue now because the more smart people thinking about it the better.<BR/><BR/><BR/>@r Operation Flyhook? I've not heard of this. Got a reference I might read?<BR/><BR/><BR/>@Thorin, hey thats cool! We might have to give that a shot more often and see what happens. Reminds me of that old bank wire transfer hack where you enter a negative amount. On some systems if will actually pull money out of another account instead of adding to it. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-61182548651793209422007-09-27T10:16:00.000-07:002007-09-27T10:16:00.000-07:00Good paper. If you're going to send this out to cu...Good paper. If you're going to send this out to customers etc you might want to change the font size on the last page. The title appears fine but the blue text (topic) of each paragraph it's hard to distibguish "i" and "l".<BR/><BR/>I encoutered a good one last year. I was working with a system which did license registrations and allowed you to make a donation to a related charity. Assume your license fee was $65. You could make a "charitable donation" through the web form of -$64, resulting in a total owing of $1. Couldn't reduce to zero or negative but I'd much rather pay $1 than $65 :) There were two very sad points along with this discovery. 1) You could do it right within the web form (no need to tamper the transaction "in-flight" or anything), 2) The client supposedly had a test case for this condition :( Oops!Rick (kingthorin)https://www.blogger.com/profile/09948691148221114568noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-92036760356282052792007-09-27T09:13:00.000-07:002007-09-27T09:13:00.000-07:00Don't forget Operation Flyhook. Ivanov and Gorshko...Don't forget Operation Flyhook. Ivanov and Gorshkov performed an amazing business-level hack against eBay, Paypal using some perl-bots. Without violating any security rules and spoofing some very basic technical protections, they created a multi-million dollar credit-card laundering business.Ray Pomponhttps://www.blogger.com/profile/13266880757075734202noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59834177720329316052007-09-26T21:52:00.000-07:002007-09-26T21:52:00.000-07:00My last 2007 prediction from the beginning of the ...My last 2007 prediction from the beginning of the year (http://www.greebo.net/2007/01/06/webappsec-past-and-future/) is starting to come true! And from a scanner vendor! Sweet!<BR/><BR/>Seriously - nice work. More needs to be said on uber important topic. This is how I've been doing code reviews for the last few years, and if scanners can do some of the heavy lifting, all the better. <BR/><BR/>I primarily target the golden apples in my reviews. The low hanging fruit falls out as a consequence of looking at how to steal or spoil the golden apples. <BR/><BR/>AndrewAndrew van der Stockhttps://www.blogger.com/profile/11645325811466424904noreply@blogger.com