 |
||
Website Risk Management |
||
|
||
|
|
|
|
|
Business Logic Flaws :: See Steve Jobs Up Close ::Class: Information LeakageDuring the MacWorld 2007 Expo, special Priority Codes (uppercase characters, digits, and 5 characters in length) could be used by VIPs to obtain free Platinum Passes with on-line registration. Platinum Passes were a $1,695 value and came with a chance to see Apple CEO Steve Jobs up close. Hidden in the source code of the sign-up Web page was a list of available PCs encrypted with a one-way algorithm (MD5), which were used to ease Web server load. Before users submitted their order, any submitted PCs would be MD5’ed using JavaScript and then compared client-side against the hidden list. If the PC matched one on the list, the order would be sent to the server. If not, the user would receive an error message and the server would not need to be contacted Can you spot the security problem? Several people noticed the hidden list of MD5 PCs in the Web page source code and also that the key space was small - so small in fact that they could be easily brute-forced. Hackers quickly created programs for doing so; and, a few minutes later were cracking the PCs (usable during conference registration) to obtain free Platinum Passes*,**. Solution There is a strong desire to have the web browser perform data input validation to ease Web server load, and often this can be done safely. In this case the developer chose to place sensitive data on the client, even encrypted, in such a way that cryptanalysis could be performed. It would have been better to let the server solely perform this process and preserve the security of the system. * Macworld crack offers VIP passes, hacker says
|
Business Logic Flaws :: Examples ::
|
|
||
|
||
|
||
|
||