Thursday, August 13, 2015

0.2 + 0.1 – 0.3 in JavaScript gives 0.00000000000000005551115123125783 in Firefox, Safari, and Internet Explorer!

...but just a plain zero in Opera and Chrome. Programming languages can only handle a certain amount of precision. I saw Fernando Arnaboldi give a talk called "Abusing XSLT for Practical Attacks" at this year's Black Hat, and a quote from the talk was "God is real, unless declared integer." which winked at the damage one may do when transforming a floating point number at one server to a floating point number at another. If one moves a 101 decimal place number to a new locale that only accounts for 100 decimal places one may transfer funds from one bank account to another, for example, in tiny amounts repeatedly in a manner that makes one grotesquely rich making something out of nothing by way of exploiting the rounding. 100 and 101 are exaggerations in this example, but, you get the idea. This must be why BAI2 files display currency values at one hundred times what they actually are as to have the first two decimal places baked into an integer in a roundabout way. The convention probably exists to strictly enforce a two point precision while enjoying the safety integers afford. Then again, maybe there are better ways to do this. I guess I don't know. XML vulnerabilities are fun, and they may get you some passwords! An XSLT lets you receive an XML document and then output an XML, HTML, or text document. There are now three different versions of XSLT (v1, v2, v3) and v1 is the most implemented and the most supported by web browsers. Fernando's talk eluded that there is a way to do XSLT injections at a web browser, but I did not come away with an understanding of how. Command Line Interface (CLI) standalone server-side processors for XSLTs include Libxslt, Xalan, and Saxon. There may be a problem with generating random numbers in XSLTs too as the numbers may not be really random if they are driven by an implementation based upon the ticks and two calls happen back to back. There are apparently loopholes for getting a random number and then thus knowing what a random number will be in the immediate split second window of time and taking advantage of as much although I really couldn't follow the example given myself.

Hmmm... I just tried the calculation in Chrome's console and I got the long answer instead of the zero. Was this speaker wrong?

No comments:

Post a Comment