Insufficient Workflow Validation

Another day, another Lab Walkthrough at the Cybersec Cafe. Today, I’ll be writing about my methodology as I figure out a Business Logic Vulnerability. These writeups are from controlled environment to explain my methodology in order to help you learn how to test applications yourself.

Buy a Leather Jacket from the shop.

A business logic vulnerability is a flaw in the design or implementation of an application that allows attackers to manipulate the intended flow of different processes. These vulnerabilities exploit the logical processes of the application, leading to unauthorized actions or access, often bypassing security controls.

If you want to be the first to see these articles, consider subscribing to the Cybersec Cafe on Substack for free. I post content there first, and here second.

My goal is to deliver you value in various cybersecurity topics and to become your ultimate destination for expanding your expertise or for any aspiring cybersecurity professionals to break into the field.

Want to give the lab a try yourself and follow along? You can check it out on PortSwigger’s website here for free.

As soon as we open the app, we can see that there is a functional shopping app in front of us for once.

We have the ability to add items to a cart, view the cart, and place an order.

We also have access with our default credentials to access an account. Inside we can see that we have a balance of $100 and the ability to change the email of the account.

Our target item is the Lightweight “l33t” Leather Jacket, which appears to be outside of our price range with a price of $1337.00.

So, it looks like our goal here will be to trick the application into thinking we’re buying something else, but we’re actually buying the jacket.

Let’s take a look through the SiteMap for anything suspicious:

It’s already lighting up like a Christmas tree!

But, we already know this is a business logic vuln — meaning we won’t necessarily have to use our technical abilities here, but rather our minds to decipher how the application flow is funcitoning.

But, as we always do anyways, let’s kick off active scan on interesting endpoints, such as the cart and items, just inc ase it finds something that we missed while we move on to manual testing.

In ordr to fully understand the application, we should first purchase an item in our price range so we can see the workflow from end to end.

After adding to the cart, let’s click Place Order to see if anyting interesting happens.

Nothing that stands out right away in the UI.

But we shouldn’t have been expecting anything out of the ordinary anyways.

Let’s go to the important part — the Proxy HTTP History and check each step in the workflow.

A request stands out to me immediately:

The order confirmation.

It looks like when set to be true, it verifies the order is confirmed for what is in the cart…

I have an idea!

After purchasing our last item, we now only have $72.11 in store credit — much below the $1337 needed to purchase the Leather Jacket.

But, I think we can trick the store logic.

Let’s add the Leather Jacket back to the cart.

We can place the order again and see that we’re denied — Not enough store credits.

Well, what if we utilize the order confirmation request from before?

We can send it over to the Repeater and replay it.

If all goes right, this should confirm the items in our cart…

It looks like the application doesn’t sufficiently verify the Place Order workflow. Bingo, lab sovled!

Business Logic vulns are not only fun, but more accessible to hunt for because it doesn’t mean you need to be extremely technical. Instead, you have to be creative and gain a deeper understanding of the application in front of you. When hunting, remember to work with what you have, explore different angles, and try to understand how the system is working.

—

Remember: The Cybersec Café gets articles first. Subscribe for free here.

Interested in getting into Cybersecurity? I have a course called the Security Sip. The curriculum is designed to help you build skills progressively over 12 sections, 85 modules, and 155 exercises. With rapidly evolving threats and technologies widening the skill gap, it’s time to secure your future in cybersecurity. Available Now!

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X. Can’t wait to keep sharing and learning together!