Series — Discovering Business Logic Flaws
Act 1 — What is a business logic flaw?
With increase in standards of technology in past decade, the complexity of a software applications has increased exponentially. Unfortunately, this has also increased the number of attacks that have been launched on such applications.
Attackers have reinvented their approach to explore newer vulnerabilities.
Vulnerabilities in applications can be classified into two broad categories
- Those that have common characteristics across different applications
- Those that are specific to an application and business domain.
The first category of vulnerabilities are caused due to faulty input validation. This class of vulnerabilities is caused when an application depends on user input to trigger its critical functionality and these inputs are handled without proper sanitization of data.
Cross-site scripting and SQL Injection are good examples of this first category.
The second category of vulnerabilities is referred to as business logic flaws. It results from the faulty application logic. Consequently, a business logic flaw allows an attacker to misuse the application by circumventing the business rules of the application. These attacks are disguised as syntactically valid web requests that carry malicious intentions to violate the intended application logic.
An automated security scanner works fine for detecting the first category of vulnerabilities that have common characteristics across different applications. However, it falters when it comes to the detection of faulty logic vulnerabilities. It is because it is not programmed to understand the business domain workflow, logic of the programmer and ways in which a logic can be tampered with or bypassed.
Let us guide this narrative with a simple example
An e-commerce merchant, YYY.com sells electronic merchandize to consumers worldwide. The typical checkout process during fulfillment includes the following steps in sequence
- User picks one or more items and adds to basket
- User then heads to order page to initiate purchase
- User pushes purchase or checkout button
- Merchant YYY.com sends order and customer information to it’s partner payments processor (for authorization and capture)
- Payments processor returns transaction-id back to Merchant YYY.com
- Merchant YYY.com displays confirmation details on fulfillment page to consumer
An attacker carefully tracks the request/response through each of these stages prepares to induce a currency attack on this merchant.
At step (3), the attacker manipulates a currency related parameter in the POST request within the HTTP header and changes the currency type from `EU Pounds` to `US Dollars`. As a result the attacker was able to exploit this logic flaw by paying less for his/her order.
How can such flaws be avoided?
Is there a human assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?
Yes, such a system does exist. At the series finale I will reveal how this expert system can be utilized to identify such flaws.
Until then, onto my next installment in this series.
This post is one of a seven part series on finding business logic vulnerabilities in your code. To learn more, please read the full series here:
Act 1 — What is a business logic flaw?
Act 2 — Attack like its 1999
Act 3 — The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet
Act 4 — Outbidding
Act 5 — Pusher in Coinbase cookie
Act 6 — Your data has been breached, now what?
Act 7 — One (Bug)Mac please!
