Before moving further please take a look at my previous blog. you can easily understand what are business logic vulnerabilities and how they pose significant risk to web applications.
Now moving forward and look on another perspective of business logic vulnerability where user inputs are being used for exploitation
What handling user input is essential?
”User input” are those values or actions for which user interactions are needed such as entering any value from the keyboard, clicking on a button and finally submitting those values.
So we understand that users can enter anything or values that belong to any data type but to maintain application logic we have to restrict the user input by prompting the error message.
So before saving or using any inputs entered by the user developer have to make sure that inputs are properly sanitized and validated. Developers can restrict the input values or reduce the attack surface by implementing restrictions on input fields such as only numbers can be entered in a specific field.
Example: Whenever we are doing any online shopping we select any item, and the quantity of it is in numeric value such as 1,2,3. So if we enter more quantity by modifying it through the intercepting proxy the application might behave improperly and may show “Out Of Stock”. So in this case developers have to apply the input validation so the user can’t enter the quantity which is much larger than what the application can take.
What can happen if an unconventional input is being sent?
The developer implemented the restriction that only numeric values or positive integers can only be entered in the quantity value, but hackers can insert the –ve quantities also. As there is no restriction applied on this, hackers can easily bypass server side restrictions and can order the most no of things in less amount. We will see how it happens.
There is an e-com website. There are so many items to purchase but the attacker wants to buy something for a free.
So in the above screenshot you can see that we have added a jacket which costs $1337 but we dont have enough credit to buy it
As at time of initial login application give the $100 credit to every user.
It means that a user can purchase anything under 100$.
Attacker again visited the application and this time intercepted the request which is adding the product to the cart
Intercepted request look like this:
As you can see that this request has a parameter quantity lets modify it to a negative quantity .
The value of the negative product has been accepted and the cart value was set to negative.
This time let’s try to buy something by adding some negative quantities and some positive just to balance the cart value.
So we have added negative quantities in the cart.
Now to balance the cart I have added 1 jacket and 62 different items
So if you multiply 40.95*31 it will be -1269.45 and a jacket costs +1337 so the total cart value will be 67.55
Let see what happens when it is added into the cart. Cart look like this
The total cart value after balancing the products looks like this
Since we have a store credit of $100 already we can buy this product easily click on place order and that’s done
We got the order confirmation from the application.
Attackers purchased his desired stuff by manipulating the business logic of the application. Attacker can pass the negative value of the products so the total cart value goes down and the can buy things for very low price
- Always make sure to filter or sanitize the user input before using them.
- 2. keep in mind that if you find one form on the target website that fails to safely handle unconventional input, it’s likely that other forms will have the same issues.