Buisness logic vulnerabilities are flaw in the design, implementation and concept of an application, that allow an attacker to evoke unintended behaviour. The term ‘Buiseness Logic’ refers to the set of rules that defines how the web application works and behave.
Whenever we heard the term ‘Web application Vulnerabilities’ in the field of the cyber domain we tend to ponder upon the OWASP TOP 10 or major another flaw, often ignoring the impact of logical vulnerabilities.
The reason being Logic's flaws are invisible to people who aren’t explicitly looking for it. However, an attacker may be able to exploit behavior by simply interacting with the application.
So this brings us to the question-
These flaws often arise because of the loophole in the design and development process. The wrong assumption of how end-user will interact with the application can lead to an inadequate validation of user input. For instance, if the developer is completely relying on the fact that the user will only pass data via the web browser, then it will result in the weak-client side control to validate input, and which can be easily bypassed by using a web proxy (such as Burpsuite).
The impact of this vulnerability is highly variable, at times it can be severe. It mostly depends upon how the user will manipulate the web application, in some cases the vulnerability itself does not pose a major threat but work as the initial payload for high severity attacks.
The type of impact is directly related to the functionality of the web application, for example, if the flaw is in the authentication module then it will jolt the complete security of the web application similarly if the flawed logic is in the financial transaction then it will affect the massive losses of the funds.
Now let's take a deeper look into the type of Logic Vulnerabilities
As previously discussed the flaw are relative to the specific context in which they occur. In this section, we will take a look at some of the major flaws made by the design and development team and understand how they affect the businesses.
Fundamentally the developers take the fact into account that users will directly interact with the application in the desired way, ignoring the fact that any malicious input from the client side can adversely affect the web application. Attackers mostly use the Burp proxy to tamper with the data after it has been passed through the browser to fail any kind of client-side validation mechanism used by the developers.
Let’s understand it with an example-
Supposedly a user planned to buy Jeans from a very famous e-commerce website, which has a price tag of ‘X’. Now after adding it to the cart, he/she further send the request to the proxy server instead of to the server and tries to tamper with the price, via the ‘POST /cart’ request. By simply passing the arbitrary value to the price parameter and then forwarding it to the server, the original price will be modified to the new value supplied by the end-user, hence compromising the integrity as well as the functionality of the web application.
2. Failing to handle unconventional input
The other type of vulnerability resides when applications are not designed to handle the unconventional input from the end-user. Mostly the application is defined to adhere the certain business rule such as the user can’t input the unrealistic value, For example: In the previous section if the user tries to order more quantity than is available in the stock then the server will redact it by giving the error.
To have a better understanding of this vulnerability lets take a look at an example:
Imagine if two-person ‘A’ and ‘B’ need to transact money from A’s account to B’s account. If proper input validation is not presented at the server-side, then the unconventional input (such as “negative value”) will create a major flaw. As the application will first check that sufficient funds should be presented before transferring the money, passing negative value will not only bypass this condition but also force the B’s account to send the money in the wrong direction.
3. BYPASSING THE TWO-FACTOR AUTHENTICATION
Many web-application enhance their security by implementing 2 Factor authentication to prevent the unintended user from login. However, the improper implementation of 2FA can result in a complete bypass of the login panel.
Many websites that use 2FA require the user to log in on one page before entering the security code on the other. But assuming that user will interact in the same way is harmful because an attacker can use the previously discussed tool Burp Proxy and repeater to bypass the login page, once the attacker understands the workflow of the application, such as how the application is maintaining and identifying the user session, it would just matter of time before the attacker gain access to several accounts.
There are multiple things to keep in mind before developing the web applications, the developers and tester should have a complete understanding of the purpose and workflow of applications as well as they should avoid the implicit assumption about the user input.
The developer team should adhere to the best practice to prevent fatal consequences and should account for how the application will behave in multiple scenarios, some of the steps that should be taken are as follows:
These are not the only steps that should be taken to protect the application, many others are depending upon the functionality. So always keep your eyes open whenever interacting with an application because you never when you would stumble upon another flaw.
KEEP ON HUNTING FOR A GOOD CAUSE AND MAKE THE WORLD AND INTERNET A SAFE PLACE TO LIVE
For more of such content follow me on medium here and on LinkedIn