Business Logic Vulnerabilities The issues we often miss...

~whoami Associate Security Consultant at Payatu Synack Red Team member (Level 3) A noob Lifetime learner

I am not an expert, am a learner like you all Thoughts and views expressed in the talk are of my own and not necessarily of any organization. Disclaimer

Agenda Briefing Business Logics vulnerabilities How it starts? The Hidden Gems Sometimes its only about the flow... Do you only rely on client side controls? Targeting features in the application Moral of the story

Business Logic Vulnerabilities Every application out there has a purpose. With purpose, there is an associated business. To carry out business, the application works on some underlying logic. This logic can be abused to cause some unintended behavior. This is where business logic issues take birth.

How it starts? Finding purpose Understanding the application The heat is always at the core

Evey application out there is serving some purpose. Banking websites are serving the purpose of managing money, loans, digital funds, your cards, etc Applications like teams & slack are helping you communicate. If we look carefully, THERE IS PURPOSE EVERYWHERE, even in your life. Understanding the purpose of the application helps you understand the underlying business. This ultimately helps you understand the logic. Finding purpose

Don't start offensive... Get into the application as much as you can. Browse the application normally. Find purpose of every functionality. Be a GOOD USER FIRST. Understanding the application

The heat is always at the core Get into the depth of the application Understand every feature Browse through every functionality Learn the purpose of every page, button, feature etc. Study the flow of data. Observe the flow of requests. Get as much DEEP as you can.

Many applications have official documentation or help sections These are the hidden gems to get better understanding of the application. They also serve as proof for your claims. The Hidden Gems The Documentation

The myth: Users will always follow the flow decided by developers Analyse the flow of requests, many times you can break them. Look how the data flows from and through each of them. Sometimes its only about the flow.....

Scenario Time.. Banking Website Account registation Review information

Scenario Time.. Impact? Replaying POST request Information Updated Override verified details Crucial issue for banking application Attacker can update details at any point.

Do you rely on client side controls? Weak Client Side controls Many times restrictions are only on frontend The issues can sometimes be escalated to access controls too impacting the integrity. Try to change every bit of data which is restricted from frontend.

Scenario Time.. HR management portal Personal information page The information showed supervisor assigned to user Supervisor cannot be edited by user

Changed id in the request Supervisor changed Impact User can change his own supervisor. Impacting access control rules imposed.

One more.. Train ticket booking portal Ticket validity 7days or 24 hrs (fixed) End of validity locked Can be changed via post request

Impact

One more... Banking website Had different types of account Some of them were only entitled for one way transaction When user tried to do a transaction using it, the application responded with - "You cannot transfer from this account"

POST request contained account numbers Changing them allowed the transfer Impact Allows user to transfer to/from restricted accounts.

Targeting features in application Many applications offer a wide range of features. When deeply looked into these features, there can be many test cases to abuse the functionality Some features show their full power when data is provided, try to populate this data. Read documentation related to the feature. Try to become a good user of the application

Scenario Time.. Patient Management Portal Collects personal and medical data Asks consent of the user to share data Does not allow user to proceed further without signing it Once signed it cannot be revoked and signature can be seen in consent tab.

Signature was sent like this Consent was revoked when the same endpoint was hit with empty body Impact User can revoke the consent given. Impact business logic implemented

One more... #1463028 Doc management platform Admin can delete any doc Users cannot view/download after the doc gets deleted User creates shortcut of the doc and adds it to a folder User can download the folder as zip. The deleted file also gets downloaded

Moral of the story

To security researchers Dig deeper as much as you can Be a good user of the application first Understand each and every feature Read the documentation Last but not least, THINK DIFFERENT

To developers Never assume that the user will follow the normal flow Apply check on server side too Make sure that the application logic goes parallel to the one mentioned in the documentation Sometimes get in the shoes of the attacker too.

Connect with me https://www.linkedin.com/in/prateek-thakare/ https://twitter.com/thakare_prateek Linkedin Twitter

Any questions?

No content