June 2011 Blog Posts
Now my DevSecNerdRage™ has calmed down I thought it might be guess at what went wrong with Citibank and how you, as a developer, can avoid making the same mistake. From reports in the New York Times it appears the attackers had a valid login and password for a Citibank credit card site and once in they changed the account number in the URL. This is a great example of Insecure Direct Object Access. I can imagine the code / configuration doing one thing; (all code in this post is pseudo code)if (IsAuthenticated)
{
LoadAccount(Request.QueryString["accountNumber"]);
}
Its not the first time...
Last month I was rather pleased to welcome Troy Hunt into my little band of Developer Security MVPs. He’s been doing a bunch of blog posts on the OWASP Top 10 list for ASP.NET developers. Check them out, he’s almost finished. Technorati Tags: MVP,Security,OWASP,ASP.NET
This makes me bang my head on the desk In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data. As if insecure direct object...