50 Common Logical Vulnerabilities found in Web Applications Currently web application security focuses on Secure Protocols, Cryptography, and detecting and mitigating vulnerabilities found by commercial or open source automated scanners. Some examples of such vulnerabilities include SQL Injection, XSS, CSRF, Weak Session Management etc. However, often vulnerabilities in business logic of the applications are ignored that can be leveraged by malicious users. In this article, we describe 50 common Logical vulnerabilities found in Web Applications.
What is a Business Logic Vulnerability? In software design, all the web applications can be modeled as set of use cases and workflows. A workflow or a use cases is a series of granular interactions between user and the system. A business logic logic vulnerability vulnerability is defined as security security weakness weakness or bug in the functional functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners. For example, booking a Movie ticket involves steps consisting of Search and select a movie View available seats Select seats Select No. of seats to be booked. (Same No. of seats will be blocked for other users for 5 minutes.) Fill up credit card details and go to Payment Gateway Success or Failure Confirmation. Even in the above simplest use case, there is a significant attack surface of logical vulnerabilities that needs to be tested by penetration testers.
Why Business Logic Vulnerabilities are hard to detect? Most of the automated scanners, currently available in the Industry, detect vulnerabilities that are recognizable by signatures and well-researched exploitation vector. By contrast, flaws in an application’s logic are harder to characterize; each instance may appear to be a unique one-o ff occurrence, and they are not usually identified by any automated vulnerability scanners. As a result, they are not generally as well appreciated or understood & they are therefore of great interest to an attacker. In the following section, we will present around 50 common business logic vulnerabilities found in Web Applications. Our objective is to handover a valuable list of logical vulnerabilities to application architects, designers, developers and testers to mitigate business Logic Vulnerabilities during design and development phases of the application itself.
50 Common Logical Vulnerabilities in Web Applications For the sake of simplicity, we have divided the logical vulnerabilities by various modules in the applications e.g. Order Management, Coupons, Payment Notification System etc. Order Management: 1: Possibility of Price manipulation during order placement. 2: Possibility of manipulating the shipping address after order placement. 3: Absence of Mobile Verification for Cash-on-Delivery orders. 4: Obtaining cash-back/refunds even after order cancellation. 5: Non deduction of discounts offered even after order cancellation Ticket Booking: 1: Possibility of illegitimate ticket blocking for certain time using automation techniques. 2: No CSRF protection on Ticket Cancellation Option. 3: Client side validation bypass for max seat limit on a single order. 4: Bookings/Reservations using fake a/c info. 5: Usage of Burner (Disposable) phones for verification. Coupons: 1: Coupon Redemption possibility even after order cancellation. 2: Bypass of coupon's terms & conditions. 3: Bypass of coupon's validity. 4: Usage of multiple coupons for the same transaction.
5: Predictable Coupon codes. 6: Failure of re-computation in coupon value after partial order cancellation. 7: Bypass of coupon's validity date. 8: Illegitimate usage of coupons with other products. Payment Gateway Integration: 1: Price modification at client side with negative values. 2: Price modification at client side with varying price values. 3: Call back URL manipulation. 4: Checksum bypass. 5: Possibility of price manipulation at Run Time. Notification System: 1: Predictable Callback API. 2: Unencrypted HTTP APIs for SMS gateways. 3: HTTP calls to Gateway vendors can respond with malicious content. 4: Predictable unsubscribe email link. 5: Malicious bounced back email (which can be easily forged) can mark E-mail delivery as failed. 6: Deletion of messages containing historical messages with sensitive data. 7: Security of stored password related to SMS / Email gateways. 8: Bug in State machine related message delivery. Imagine a forged message delivery mark a successfully delivered message state to failed. 9: Forge a bounce email and increase the credit limit. 10: Spam emails to block email servers. Bypass Captcha Implementation: 1. Captcha value is bound to the session, and not the parameters that need to be protected. 2. Validation is not performed in absence of captcha parameter. 3. Reusable captcha value. 4. Only length or presence of captcha parameter being validated but not the actual value. 5. Changing user agent bypasses captcha validation.
Bypass CSRF Protected: 1. Non validated tokens. 2. Only token length validated. 3. Partial token validation with not enough entropy. 4. Token reuse. 5. Cross user session token can be used. 6. Weak / predictable tokens. 7. Email hash used as token.
File Management Logical Bugs: 1. Type of file uploaded is not limited to types that are needed as per business rules 2. Uploaded file type validation depends only on HTTP Content-Type Header value 3. Uploaded file type validation depends only on file extension 4. Uploaded files are saved in the same web context as the application. Files should either go to the content server or the database 5. Upload of a file possible that may be interpreted by the web server 6. Execution privilege is set on file upload directories 7. When referring existing files, white list approach of allowed file names and types is not used. 8. Application is sending the absolute file path to the client. 9. Application files and resources are writable or executable. 10. User uploaded files are not scanned for viruses and malware
About IViZ:
iViZ Security is industry's first cloud-based penetration testing service for web applications. Unlike the scanners which lack in quality and the consultants who are expensive, iViZ delivers consultant grade quality testing in SaaS based, cost effective subscription model. iViZ provides "Zero False Positive Guarantee", 100% coverage of all WASC classes with business logic testing by leveraging its patent pending "hybrid approach" that integrates automation with manual testing by security experts. For more information please visit: http://www.ivizsecurity.com/
