Skip to main content

Business Logic Vulnerabilities or Application Logic Vulnerabilities or simply “logic flaws”

 Business logic vulnerabilities, also known as application logic vulnerabilities, refer to security flaws or weaknesses in the logical flow and processing of an application’s business rules. These vulnerabilities occur when the implemented logic does not adequately address potential threats or when the logic itself is flawed, allowing attackers to exploit the system for malicious purposes.

Logic flaws are often invisible to people who aren’t explicitly looking for them as they typically won’t be exposed by normal use of the application. However, an attacker may be able to exploit behavioral quirks by interacting with the application in ways that developers never intended.

HOW TO CHECK AND EXPLOIT:

2FA broken logic: Excessive trust in client-side controls

This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s account page.

  • Your credentials: wiener:peter
  • Victim’s username: carlos

Let’s login as wiener.

We will get a 2-FA code in the email.

So let’s intercept the traffic in the 2-FA verification page, and change the verify parameter to Carlos. Now Carlos will receive the variation code in his email.

Now let’s use Burp interceptor to Brute force the verification code of Carlos

POST /login2 HTTP/2
Host: 0a93005903e63c1880fb765c008300dc.web-security-academy.net
Cookie: session=xGUtUrj5tPy1eQHerllh3FsbVenaw7Sw; verify=carlos
......
mfa-code=§4546§

Now check the status code of the attack when we get a 302 it is the status code of Carlos.

High-level logic vulnerability:

This lab doesn’t adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price.

In the add to cart function the POST request takes parameters:

productId=1&redir=PRODUCT&quantity=1

What if we change the quantity to “ -1 "

Now let’s buy a jacket which is costly.

Now let’s buy a Lightweight “l33t” Leather Jacket worth $1337.00 for just $9.80.

This happened due to failure to handle unconventional input.

Inconsistent security controls

Access the admin panel

There is a register section. So let’s register as admin:admin with our email.

Now there is an option to update the email. There is a line “If you work for DontWannaCry, please use your @dontwannacry.com email address” in the register page.
So if we change the email to “admin @dontwannacry.com” we can access the admin portel.

Flawed enforcement of business rules

Logic flaw in its purchasing workflow.
Add item to cart and apply Coupon code:

Signup to the newsletter option at bottom to get another coupon code:

Apply the codes:

Now apply it again and it works:

This is the flaw.

Inconsistent handling of exceptional input

In the email section give a long email address.

After registering log in as the user.

The last part of the email is not complete so there is a limit, count it.

The limit is 255 characters.

To login as admin our email should be “ @dontwannacry.com”.

So in this case we can give our email in this format: “<check-my-youtube-channel…..>@dontwannacry.com.exploit-0a2f000804b65564840d2b56012a00ea.exploit-server.net”, where this part character count is 255 “<check-my-youtube-channel…..>@dontwannacry.com”

Now add the last part:

Now our email is <email>@dontwannacry.com, so we are logged in as a DontWannaCry user. Now we can access the admin panel.

Weak isolation on dual-use endpoint

There is a section to change the password, so lets check how the request goes in burp.

So we change the username to “administrator” and remove the section “current-password” and sent the request.

We changed the password of administrator. This is because of the flawed assumption about the user’s privilege level based on their input.

Insufficient workflow validation

To buy a costly item in low price. Frist select an item we can afford and place order to check how it works.

When the order is placed it is redirected to :

Now add oru costly item to cart and place order. Intercept the traffic and change the top section from this:

To this:

And the order is placed with out any cost.

Authentication bypass via flawed state machine

When user login they are redirected to a “/role-selector ” page.

What if we avoid this step.

Use burp to intercept the traffic and drop the request made to “/role-selector”.

Now remove this section from the url and reload the page to access the admin page.

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Bug Boundy Methodology, Tools & Resources

Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective. Use the target as how a normal user would, while browsing keep these questions in mind: 1)How does the app pass data? 2)How/where does the app talk about users? 3)Does the app have multi-tenancy or user levels? 4)Does the app have a unique threat model? 5)Has there been past security research & vulnerabilities? 6)How does the app handle XSS, CSRF, and code injection?
Post a Comment
Read more

Install & set up mitmweb or mitmproxy in Linux

Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Post a Comment
Read more

pip error in Kali Linux: error: externally-managed-environment : SOLVED

 error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try apt install     python3-xyz, where xyz is the package you are trying to     install.     If you wish to install a non-Kali-packaged Python package,     create a virtual environment using python3 -m venv path/to/venv.     Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make     sure you have pypy3-venv installed.     If you wish to install a non-Kali-packaged Python application,     it may be easiest to use pipx install xyz, which will manage a     virtual environment for you. Make sure you have pipx installed.     For more information, refer to the following:     * https://www.kali.org/docs/general-use/python3-external-packages/     * /usr/share/doc/python3.12/README.venv note: If you believe this is a mistake, please contac...
Post a Comment
Read more