Friday, March 18, 2016

2016-012-Ben Caudill on App Logic Flaws, and Responsible Disclosure


Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-012-Ben_Caudill-Application_Logic_Flaws.mp3
Itunes: iTunes: https://itunes.apple.com/us/podcast/brakeing-down-security-podcast/id799131292?mt=2 (look for the episode starting with "2016-012")
Ever bought "-1" of an item on a retail site? Or was able to bypass key areas of an application and get it bypass authentication, or you were able to bypass a paywall on a site?
Application logic flaws are often insidious and not easy to find. they require often a bit of work to bypass, and are often missed by testing groups with rigid test plans, as they violate the flow of an application. "Why would they do that? That doesn't make any sense..." often precludes the finding of an application logic flaw.
This week, we interview Ben Caudill from Rhino Security, who discussed a logic flaw that could be used to de-anonymize someone by creating fake profiles..
We then discuss how Ben went through contacting the company, what happened after initial disclosure, and how it was fixed.
http://www.geekwire.com/2014/hack-popular-app-secret-seattle-hackers-show-digital-security-always-beta/
http://www.theguardian.com/technology/2014/aug/26/secret-app-cyberbullying-security-hackers

Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security using Patreon: https://www.patreon.com/bds_podcast
RSS FEED: http://www.brakeingsecurity.com/rss
On #Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Google Play Store: https://play.google.com/music/podcasts/portal/#p:id=playpodcast/series&a=100584969
Player.FM : https://player.fm/series/brakeing-down-security-podcast
Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
#infosec, #podcast, #CISSP, #CPEs, #vulnerability #disclosure, #responsible #disclosure, #application #security, #logic #flaws, Ben #Caudill, #Rhino #Security

Here is a new episode of Brakeing Down Security Podcast!

No comments: