Exploiting Business Logic Vulnerability

With a real-world example:

Image for post
Image for post

Business Logic Vulnerabilities:

Business logic vulnerabilities need manual intervention as No tool can detect these and they can vary from application to application and very hazardous. We have to understand application logic, application functionality, implementations, and business requirements. Whenever we intercept the request, we have to manipulate specific parameters in the request or so to test for the business logic vulnerability

Some common example of business logic:

· Manipulation in the product price in the request so we can purchase products in less amount during the online shopping.

· Manipulation in user-supplied input (too much quantity or –ve quantity) and not checked from the server-side.

· Manipulation in intended flow (2FA).

It is application vulnerability, occurring from a gap in the defense and everyone has a different mindset to implement logic.

In online shopping, users add a single quantity of a costly product and some negative quantity of other product which makes the cart price 1 or 2 bucks so due to this he will be able to purchase the costly item at a very less price

Business logic:

Some basic rules on which application working. It can be anything according to the necessity of application. So to exploit these vulnerability attacker have to learn it’s logic.

Example:

Some applications do not carry out the validation on the server-side validation and a malicious user can manipulate of bypass the client-side validations.

While online shopping application is not checking what product you are purchasing from the browser and how much you are paying for this.

Image for post
Image for post

Like for product 3 I have to pay 13$ if I manipulate the price the in the request, it gets accepted and I can easily buy that product at a very less price.

So, the impact/area of business logic vulnerability is very vast and depends on multiple factors. On the basis of this vulnerability, security researchers can earn a good amount of bounty.

— — — — — — — — — — — — — — — — — — — — — — — — -

Working/Exploitation:

The application is using role-based authentication in the application. We have to bypass this in order to get access to the admin panel.

The flow of the application is first we have to log in and then we have to select any role specified by the application.

According to the application, the role we select sets your authorization the roles don’t have the admin in them.

Initially, the application tree looks like this:

Image for post
Image for post

So we need to find the admin panel or pages where admin can visit after login. In order to do that I have started the content discovery using the burp suite. You have to right-click on the application tree and then select Engagement tools and then content discovery.

Image for post
Image for post

After the content discovery, we can see that I have found a page and directory with the name “admin”.

Image for post
Image for post

Now I directly try to access the admin endpoint. I am getting this error.

Image for post
Image for post

Now I intercepted the login request to check the login sequence.

In the First request, credentials were traveling with the CSRF token.

Image for post
Image for post

After forwarding the same request

Image for post
Image for post

We got the next request as getting a request which is used to set your authorization as per the selection of your role.

If I forward the above request, it asks me to select a role.

Image for post
Image for post

And as soon as stopped the request from getting loaded( dropped the request from the burp).

Image for post
Image for post

And now let's try to visit the admin endpoint as we don’t have any roles right now.

For admin endpoint:

Image for post
Image for post

So simply dropping a request gave us admin account access.

Remediation

· Repeatable testing of code and matches its base/blueprint, so it becomes easy to identify loop hopes.

· Requires application must be tested by expertise.

· Implement security controls at the server side so it cannot be bypassed.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store