Day 22 of 30 Days — 30 Vulnerabilities | Business Logic Flaws

Day 22: Mastering Business Logic Flaws Vulnerability — Essential Tricks & Techniques Based on Personal Experience and Valuable POCs

[ In collaboration with Sunil Kumawat ( his LinkedIn | Twitter)]

Hey geeks, Abhijeet(Twitter) here with one more write-up on tricks & tips to detect Business Logic Flaws Vulnerability.

What are Business Logic Flaws?

Business Logic Flaws are vulnerabilities arising from incorrect implementation or assumptions in an application’s business processes. They enable attackers to manipulate legitimate functionality to achieve malicious goals, such as bypassing security measures, manipulating transactions, or gaining unauthorized access.

Why Do They Occur?

These flaws often result from failing to consider how unusual application states or user actions can lead to unexpected behaviors. They are usually unique to the specific application’s logic and are not easily detected by automated scanners.

Authentication and Authorization Flows:

Look for flaws in login, registration, and role-based access control mechanisms.

Financial and Transactional Workflows:

Check for inconsistencies in the handling of payments, refunds, or transfers.

Account and Session Management:

Assess the security of functionalities like account creation, deletion, password resets, and session handling.

Data Input Validation:

Inspect areas where input data can be manipulated, such as forms, queries, and user-controlled parameters.

Manual Review of Business Processes:

Review the application’s workflows to understand the business rules and identify potential logic flaws.

Tampering and Fuzzing:

Use tools like Burp Suite to manipulate inputs and observe application behavior.

Analyzing Edge Cases:

Test with edge cases like unusually high or low values, missing mandatory fields, or unexpected input formats.

Behavioral Analysis:

Examine whether the application behaves differently when inputs are provided in unexpected sequences or formats.

Basic Payloads:

Test with missing or malformed parameters (e.g., omitting required fields).Use negative or boundary values (e.g., -1000 for a price field).

Advanced Payloads:

Inject payloads that exploit business logic, such as manipulating order totals or applying invalid discounts.Use chained payloads to combine multiple logic flaws (e.g., changing roles without proper checks).

Exploit Weak Validation:

Bypass client-side controls by directly manipulating server-side parameters.

Attack Through Unintended Workflows:

Perform actions in an unintended sequence to bypass checks (e.g., bypassing 2FA by skipping intermediate steps).

Leverage Inconsistent Handling of Data:

Manipulate data in a way that exploits inconsistent handling by different parts of the application.

A. Description: This example shows how an application truncates long email addresses improperly, allowing an attacker to manipulate the registration process to gain unauthorized access. By registering with a long email that gets truncated to a domain with higher privileges, the attacker is mistakenly assigned elevated privileges.

B. Steps to Reproduce:

Register a New Account:Use a web browser or intercepting tool (e.g., Burp Suite) to navigate to the registration page.Enter a deliberately long email address (e.g., attackervictimemailaddress+randomstring@dontwannacry.com.ac9a1f1f1e15a857801bf5e2013f00e5.web-security-academy.net).

2. Observe Email Truncation:

After registration, check if the email address is truncated (e.g., only the first 256 characters are kept).If successful, the system will treat the email address as attackervictimemailaddress+randomstring@dontwannacry.com, which has unintended admin privileges.

3. Exploit Elevated Privileges:

Login using the truncated email (attackervictimemailaddress+randomstring@dontwannacry.com) and the password created during registration.Access the admin panel or restricted resources granted due to incorrect privilege assignment.

C. Impact:

Unauthorized access to sensitive or administrative sections of the application. This could lead to full control over the application, access to all user data, or changes to critical business functions.

A. Description: In this POC, the attacker manipulates the payment workflow to purchase items without paying by exploiting flaws in the order confirmation logic.

B. Steps to Reproduce:

Add Expensive Item to Cart:Add a high-value item (e.g., $1,000 product) to the cart.

2. Capture Order Confirmation Request:

Proceed to checkout and use an intercepting proxy tool like Burp Suite.Capture the request at the order confirmation step, which looks like:GET /cart/order-confirmation?order-confirmed=true HTTP/1.1
Host: example.com
Cookie: session=xyz

3. Manipulate Order Details:

Change the order-confirmed parameter to true without actually completing the payment.Replay the modified request using Burp Suite’s Repeater tool.Check the response to confirm if the order was completed successfully without payment.

4. Verify Order Completion:

Log in to the application and check the order history or the receipt of the expensive item in the order summary.

C. Impact:

Financial losses to the business due to unauthorized purchases or fraudulent transactions. Repeated exploitation could severely impact revenue and reputation.

A. Description: This example exploits a flaw in the two-factor authentication (2FA) process by directly accessing protected endpoints, bypassing the verification step.

B. Steps to Reproduce:

Log in with Valid Credentials:Use valid credentials for a non-admin user (e.g., username: john and password: mypassword).

2. Capture the 2FA Prompt:

Intercept the request when prompted to enter a 2FA code using Burp Suite.Note the URL for the 2FA verification step (e.g., https://example.com/2fa).

3. Bypass 2FA Prompt:

Directly modify the URL in the browser to access a restricted endpoint (e.g., https://example.com/my-account).If successful, you will be redirected to the user account page without completing the 2FA verification.

4. Alternative Bypass Using cURL:

Alternatively, use cURL to directly access the endpoint:curl -X GET "https://example.com/my-account" -H "Cookie: session=your-session-id"Observe that you have bypassed the 2FA check and accessed protected resources.

C. Impact:

Unauthorized access to user accounts without requiring 2FA, leading to potential account takeovers, data breaches, and unauthorized actions.

Mitigation Strategies:

Implement comprehensive input validation, particularly on server-side processes.Regularly review and test business workflows for potential logic flaws.Ensure that business rules and checks are consistently applied throughout the application.

Final Thoughts:

Business Logic Flaws can have severe implications for application security and business operations. Regular testing, coupled with a deep understanding of business processes, is essential to prevent such vulnerabilities​ (PortSwigger Security, PortSwigger Security, Brightsec, Infinite Logins, HackerOne).

…………………………………………………………………………………………………

Thank you for reading the blog!!!

You can also follow me on Twitter & LinkedIn for more write-ups

Follow & subscribe for daily write-up updates via mail on Medium

Stay tuned for Day 23, where we’ll dive into another vulnerability!

…………………………………………………………………………………………………