WebApp Sec mailing list archives
Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
From: "Andy Steingruebl" <steingra () gmail com>
Date: Tue, 15 Jul 2008 16:04:10 -0700
On Tue, Jul 15, 2008 at 6:02 AM, Martin O'Neal <martin.oneal () corsaire com> wrote:
Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) By Adam Boulton, Stephen De Vries, Kevin O'Reilly, July 15, 2008 This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could in-turn allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations.
You've pointed out some clearcut issues in using floats to represent financial values. Except in cases where you need to specifically deal with calculations likely to result in rounding (or the need for it) specific data structures that model things like dollars and cents are a much better solution, yes? As in, do fixed precision handling of all currency. There are certainly cases where this isn't possible, but for most financial applications that simply need to do things like track a balance, handle in/out flows, etc. you don't ever need to round, and can use relatively simple fixed-precision for this sort of thing. Yes? -- Andy Steingruebl steingra () gmail com ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Andy Steingruebl (Jul 15)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- <Possible follow-ups>
- Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) silky (Jul 15)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- Message not available
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)