 |
||
Total Website Security |
||
|
||
|
|
|
|
|
Business Logic Flaws :: Day Trading Contest for CNBC’s Million Dollar Portfolio Challenge provided amateur traders a chance to match their skills against the portfolios of the Internet’s best. 375,000 contestants competed in ten one-week challenges for a $10,000 prize and a spot in the final round to go for the cool million. To win, all they had to do was make the most “funny” money. Placing stock trades is essentially a two-step process: Step 1. Select the stocks you wish to purchase, enter the number of shares, and press the submit button. The back-end system calculates the total order using the current share price and waits for user confirmation before executing the trade. Step 2. The user can either drop out of the transaction or confirm the order, which then executes the mock stock transaction to update their portfolio. Can you spot the security problem? To make impossibly accurate picks, a malicious trader would select several stocks to buy (but NOT execute the order in step 2) with companies scheduled to post earnings after trading closes that day. After setting up the order, they’d leave their browser window open until after the closing bell. If the stock price rose by a significant percentage during after-hours trading, the trader would only then execute the transaction. Since their session contained the original stock price and did not recalculate using the current share price, the trader would be guaranteed huge portfolio gains and be well on their way to winning the million*. Solution
* References:
|
Business Logic Flaws – Examples ::
|
|
||
|
||
|
||
|
||
