Do XSS and SQL Injection break website code?
Here’s a philosophical question for all of your security nerds (like me) out there: Do exploits like XSS (cross-site scripting) and SQL injection break a website? Or are they uses of legitimate functionality of a website?
I often define “business logic abuse” as: the use of legitimate pages of a website to perpetrate malicious activity. When defining business logic abuse I try to point out that this is different from XSS and SQL injection in that XSS and SQL injection use the website in a way that was NOT intended.
Lately, I’ve been called to task on this definition. Some people say that especially XSS holes are often in place to allow marketing people to redirect customers away from their website. I agree with that, but still claim that they were not intended to direct customers to phishing sites or sites with drive-by downloads or other sites of other malicious intents.
For those of you who follow this blog and are experts in XSS and SQL injection (and other such vulnerabilities), I’d very much appreciate your opinion on whether my definition of business logic abuse infringes on your fields of expertise. If so, I’m going to have to come up with a new definition!
Concern about web security at financial institutions
Russ McRee’s post on The need for financial web application security rung true for me. While the bad actors are finding ways to make money through e-commerce and even social network websites, the finance sector will always be a target since that’s where the money is.
It can be super tough to harden a website against online attacks. Russ does a great job calling out some of the things that are especially troublesome, but this dovetails nicely into the presentation Jeremiah Grossman gave yesterday (link to follow). Jeremiah’s presentation said that cross-site scripting and cross-site request forgery are major problems, but business logic flaws are becoming more and more prevalent.
Unfortunately, websites of all types are going to need to start defending themselves against all of these types of attacks – both the technical kind and the business logic kind.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- May 2012 (5)
- April 2012 (7)
- March 2012 (13)
- February 2012 (6)
- January 2012 (4)
- December 2011 (7)
- November 2011 (8)
- October 2011 (9)
- September 2011 (5)
- August 2011 (7)
- July 2011 (7)
- June 2011 (6)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- predictive analytics
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
