Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Grossman
