Business Logic Vulnerabilities excessive trust in client-side controls
Think of a scenario where you login to an eCommerce website to buy something. Below are the steps you will follow.
1. Login to the website.
2. Add the item to your cart.
3. Add the quantity of the product.
4. Select the payment method and pay.
Now consider the website offers you to add money into its wallet and allow you to buy the item from your wallet.
Here are some problems that could occur.
1. Developer assumes that the customer only uses a browser to make the purchases.
2. Developers work in silos and does not consider how the other components of the application works.
If the application does not handle all the input from the user properly, this could lead to attacker manipulating the POST/GET request using a proxy to increase the quantity of product or modify the price.
This will happen because the developer assumes that the application will be used only in the browser.
Below are the steps. Select a product and add into cart.
While adding a product into cart an attacker can intercept the request in Burpsuite.
Now if the input is not sanitized by the server. An attacker can change the quantity of the product or change the price.
Now when we refresh the browser and check the cart, we are able to see the price changed for the product. Since we are paying through wallet. The order goes through.
How to prevent
1. A developer should never assume that the request will come only from the browser.
2. Developer should understand the overall business logic. Typically, several developers work on a single product. So, every developer should understand various other components and how they function in a business.
3. Maintain logic, business and data flows in the application.
4. Maintain best coding practices with comments and explanation of code. When a new developer gets into shoes of a developed code, it will be very daunting to understand the code without proper comments.
This is a rather simplistic example. Usually applications become very complex as the project grows over time.
