How to Rob an Online Bank (and get away with it) - Acros Security
How to Rob an Online Bank (and get away with it) - Acros Security
How to Rob an Online Bank (and get away with it) - Acros Security
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
HTTP Parameter Pollution(Source Account)JSPPHPPOST /tr<strong>an</strong>sfersource=1 & dest=2 & amount=100 & source=42source = request.<strong>get</strong>Parameter(“source”) // 1amount = request.<strong>get</strong>Parameter(“amount”) // 100IF NOT user_authorized_for(source) THEN ERROR()IF disposable(source) < amount THEN ERROR()Call BackEndTr<strong>an</strong>saction(request)POST /BackEndTr<strong>an</strong>sactionsource=1 & dest=2 & amount=100 & source=42source = $_POST[“source”] // 42dest = $_POST[“dest”] // 2amount = $_POST[“amount”] // 100IF NOT user_authorized_for(source) THEN ERROR()25