LAS VEGAS. I had the good fortune of meeting up today with Jeremiah Grossman, Founder and CTO of Whitehat Security. Grossman is talking at Black Hat in a session called “Get Rich or Die Trying” in which he is set to discuss how Black Hat’s make money.
Grossman told me that he wants to move the discussion beyond just simple exploits, be they XSS, CSRF, SQL injection or otherwise – for him some real flaws and some real money for hackers are being made from flaws in website’s business logic.These are flaws that aren’t at the code level but exist in how a site itself operates – in a way that hackers can exploit.
As an example, Grossman described a business logic attack whereby an attacker tries to log into a users account on an auction site repeatedly with the wrong password. The business logic of the site dictates that after a certain number of failed logins the legitimate user is actually locked out.
In another example, using a technique known as “timing” a hacker can try to access a site with an email address in order to determine if the email address is valid. Where the timing comes in, is the typical business logic (regardless if the password is valid or not) is that it there is a valid email there is a slight difference in the amount of time it takes for the website to respond.
As opposed to code level flaws which can be scanned for with tools and often fall into particular categories of vulnerabilities – business logic flaws according to Grossman are “all over the place and vary from site to site.”
So how does a site protect itself against a business logic level flaw? How does a site owner even know that they have a flaw?
Well here’s where the motivated self-interest comes in for Grossman – while the hackers themselves can use the business logic flaws to make money – Grossman’s company Whitehat can also make money by throwing humans (and some technical know how) at the problems to help site vendors as well.