tag:blogger.com,1999:blog-20011960.post6303748226341759273..comments2024-01-15T00:25:02.006-08:00Comments on HolisticInfoSecâ„¢: Online finance flaw: Merrill Lynch not bullish on XSS & CSRF vulnerabiliesRuss McReehttp://www.blogger.com/profile/05647342839278416757noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-20011960.post-2431753563326491832009-01-09T12:02:00.000-08:002009-01-09T12:02:00.000-08:00@Scott,No immediately obvious signs of GET weaknes...@Scott,<BR/>No immediately obvious signs of GET weaknesses, but treat that as inconclusive analysis. ;-)Russ McReehttps://www.blogger.com/profile/05647342839278416757noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-10799949758257290052009-01-09T09:40:00.000-08:002009-01-09T09:40:00.000-08:00I seems from the video that you used a POST to exp...I seems from the video that you used a POST to expose the XSS. Did you find out if the server treated GETS the same as posts?Scotthttps://www.blogger.com/profile/00381663746771393854noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-56300466557210813642009-01-08T15:23:00.000-08:002009-01-08T15:23:00.000-08:00Jeremiah prompted me to do some research. I spoke ...Jeremiah prompted me to do some research. I spoke to a SOX auditor and they had two responses of interest:<BR/><BR/>First, this web app vulns are unlikely to affect SOX as the web app and related servers are unlikely to be hosting the financial data.<BR/><BR/>Second, when I asked if there would be an impact if the web vuln allowed access to the internal network, the answer was still that it was unlikely, as the other internal controls around the financial statements would be considered.<BR/><BR/>Finally, he left off saying that firms are growing more relaxed on SOX in general.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-20011960.post-48028660383036088622009-01-08T13:52:00.000-08:002009-01-08T13:52:00.000-08:00To me there is no question that web application se...To me there is no question that web application security flaws are relevant to financial results, and that under SOX organizations must verify their applications and fix any problems they find. If there's any question about what organizations need to verify, they should check the new OWASP ASVS which defines specific verification requirements for applications. The only caveat is that if the application has no bearing on the integrity of financial results, then SOX doesn't require anything.Anonymousnoreply@blogger.com