Re: Java DOS

["Wall, Kevin" <Kevin.Wall () qwest com>]

Chris,

On Feb 15, 2011, 8:20 AM, Kevin Wall wrote:
> On Feb 15, 2011, at 12:06 AM, Chris Schmidt <chrisisbeef () gmail com> wrote:
> > On Feb 14, 2011, at 8:57 AM, "Wall, Kevin" <Kevin.Wall () qwest com> wrote:
> > > [snip]
> > > So on a somewhat related note, does anyone have any idea as to how
> > > common it is for application developers to call ServletRequest.getLocale()
> > > or ServletRequest.getLocales() for Tomcat applications? Just curious.
> > > I'm sure it's a lot more common than developers using
> > > double-precision floating point in their applications (with
> > > the possible exception within the scientific computing community).
> >
> > I would assume just about any app with a shopping cart does. This is of
> > course compounded by libraries like struts and spring mvc that autobind
> > your form variables for you. Use a form with a double in it and your boned.
>
> Good point about things like Spring and Struts. Hadn't thought of those
> cases. OTOH, if I were implementing a shopping cart, I'd write special
> Currency class and there probably use Float.parseFloat() rather than
> Double.parseDouble() [unless I were a bank or otherwise had to compute
> interest], and hopefully Float does not have similar issues.

A thousand pardons for me responding to my own post, but I've been thinking
more deeply about what Chris wrote and how I responded the first time and I
don't think either of us were quite on target.

Your *typical* shopping cart application is going to have the end user
select a *quantity* of a specific item, and *almost always* this is going
to be some integer type. (Yes, there are some exceptions, but they are
comparatively few.) The calculation of the final price may involve
floats or doubles, but those should be extremely difficult, if not impossible,
to exploit given that the price generally will only have two decimal places
of precision and that the end user can (hopefully) only enter a whole number.

So, IMO, properly implemented applications using a traditional shopping
cart is not likely to be exploited by this Double.parseDouble(String)
vunlerability. (Note that if you are storing your price info somewhere
that a client can access it, you have much bigger problems than a DoS
attack.)

What is more likely is if you have applications where a user can enter
a specific payment amounts directly. I'd guess that those that might be
vulnerable would be things like people accepting donations via PayPal,
etc. That's probably not something that is very prevalent in telecomm
applications though. But thanks for helping me think through this.

-kevin
---
Kevin W. Wall           Qwest Risk Mgmt / Information Security
Kevin.Wall () qwest com    Phone: 614.215.4788
"It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration"
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________