0P3N Blog Blog Post

[podcast] Ben Caudill on App Logic Flaws, and Responsible Disclosure"

By: BrBr
April 6, 2016
[embed]https://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3[/embed]Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site? This is only one example of a class of vulnerabilities called "logic flaws".Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw.This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles.Disclosure of these kinds of issues to a fledging startup company with "let's get this to market as soon as possible" mentality can often lead to someone issuing a gag order or lawyers threatening the security researcher. We discuss how Ben went through contacting the company, what happened after initial disclosure, and the aftermath of his actions.http://www.geekwire.com/2014/hack-popular-app-secret-seattle-hackers-show-digital-security-always-beta/http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackersDirect Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3Itunes: iTunes: https://itunes.apple.com/us/podcast/2016-012-ben-caudill-on-app/id799131292?i=365094523&mt=2Comments, Questions, Feedback: bds.podcast@gmail.comSupport Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcastRSS FEED: http://www.brakeingsecurity.com/rssOn#Twitter: @brakesec @boettcherpwned @bryanbrake#Facebook: https://www.facebook.com/BrakeingDownSec/#Tumblr: http://brakeingdownsecurity.tumblr.com/Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969Player.FM : https://player.fm/series/brakeing-down-security-podcastStitcher Network: http://www.stitcher.com/s?fid=80546&refid=stprTuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/#infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry