Anatomy of a Logic Flaw presented at OWASP AppSecAsiaPac 2012

by Daniel Crowley, Charles Henderson,

Summary : Traditional vulnerabilities like SQL Injection, buffer overflows, etc, have well established techniques for discovery and prevention. On the other hand, logic flaws are incredibly diverse and often unique to the specific application or business organization. Because of this, logic flaws have taken on a near mythical status. In the myth, logic flaws are nearly impossible to find until the elite of the elite hackers launch an attack to completely own the application.
The reality is far different; logic flaws are not the complex nightmare that many have made them out to be. This presentation will use real-world examples to show how logic flaws are typically introduced into an application, how they can be consistently detected during testing, and how they can be prevented during development. Instead of hoping for magic, repeatable processes will be outlined for each of those items. This will prove beneficial to anyone responsible for application security: programmers, architects, managers, and pen testers.

Daniel Crowley: Daniel does pen testing, research, training, and various other things for Core Security Technologies. In his spare time, he plays around mostly with Web-based technologies and locks. Being an entertainer by nature, Daniel likes combining art with technology and his presentations are designed to inform AND entertain. Daniel was a speaker at Shmoocon VI and won the Gringo Warrior competition at Shmoocon V.