Slide 1

Slide 1 text

Business Logic Vulnerabilities The issues we often miss...

Slide 2

Slide 2 text

~whoami Associate Security Consultant at Payatu Synack Red Team member (Level 3) A noob Lifetime learner

Slide 3

Slide 3 text

I am not an expert, am a learner like you all Thoughts and views expressed in the talk are of my own and not necessarily of any organization. Disclaimer

Slide 4

Slide 4 text

Agenda Briefing Business Logics vulnerabilities How it starts? The Hidden Gems Sometimes its only about the flow... Do you only rely on client side controls? Targeting features in the application Moral of the story

Slide 5

Slide 5 text

Business Logic Vulnerabilities Every application out there has a purpose. With purpose, there is an associated business. To carry out business, the application works on some underlying logic. This logic can be abused to cause some unintended behavior. This is where business logic issues take birth.

Slide 6

Slide 6 text

How it starts? Finding purpose Understanding the application The heat is always at the core

Slide 7

Slide 7 text

Evey application out there is serving some purpose. Banking websites are serving the purpose of managing money, loans, digital funds, your cards, etc Applications like teams & slack are helping you communicate. If we look carefully, THERE IS PURPOSE EVERYWHERE, even in your life. Understanding the purpose of the application helps you understand the underlying business. This ultimately helps you understand the logic. Finding purpose

Slide 8

Slide 8 text

Don't start offensive... Get into the application as much as you can. Browse the application normally. Find purpose of every functionality. Be a GOOD USER FIRST. Understanding the application

Slide 9

Slide 9 text

The heat is always at the core Get into the depth of the application Understand every feature Browse through every functionality Learn the purpose of every page, button, feature etc. Study the flow of data. Observe the flow of requests. Get as much DEEP as you can.

Slide 10

Slide 10 text

Many applications have official documentation or help sections These are the hidden gems to get better understanding of the application. They also serve as proof for your claims. The Hidden Gems The Documentation

Slide 11

Slide 11 text

The myth: Users will always follow the flow decided by developers Analyse the flow of requests, many times you can break them. Look how the data flows from and through each of them. Sometimes its only about the flow.....

Slide 12

Slide 12 text

Scenario Time.. Banking Website Account registation Review information

Slide 13

Slide 13 text

Scenario Time.. Impact? Replaying POST request Information Updated Override verified details Crucial issue for banking application Attacker can update details at any point.

Slide 14

Slide 14 text

Do you rely on client side controls? Weak Client Side controls Many times restrictions are only on frontend The issues can sometimes be escalated to access controls too impacting the integrity. Try to change every bit of data which is restricted from frontend.

Slide 15

Slide 15 text

Scenario Time.. HR management portal Personal information page The information showed supervisor assigned to user Supervisor cannot be edited by user

Slide 16

Slide 16 text

Changed id in the request Supervisor changed Impact User can change his own supervisor. Impacting access control rules imposed.

Slide 17

Slide 17 text

One more.. Train ticket booking portal Ticket validity 7days or 24 hrs (fixed) End of validity locked Can be changed via post request

Slide 18

Slide 18 text

Impact

Slide 19

Slide 19 text

One more... Banking website Had different types of account Some of them were only entitled for one way transaction When user tried to do a transaction using it, the application responded with - "You cannot transfer from this account"

Slide 20

Slide 20 text

POST request contained account numbers Changing them allowed the transfer Impact Allows user to transfer to/from restricted accounts.

Slide 21

Slide 21 text

Targeting features in application Many applications offer a wide range of features. When deeply looked into these features, there can be many test cases to abuse the functionality Some features show their full power when data is provided, try to populate this data. Read documentation related to the feature. Try to become a good user of the application

Slide 22

Slide 22 text

Scenario Time.. Patient Management Portal Collects personal and medical data Asks consent of the user to share data Does not allow user to proceed further without signing it Once signed it cannot be revoked and signature can be seen in consent tab.

Slide 23

Slide 23 text

Signature was sent like this Consent was revoked when the same endpoint was hit with empty body Impact User can revoke the consent given. Impact business logic implemented

Slide 24

Slide 24 text

One more... #1463028 Doc management platform Admin can delete any doc Users cannot view/download after the doc gets deleted User creates shortcut of the doc and adds it to a folder User can download the folder as zip. The deleted file also gets downloaded

Slide 25

Slide 25 text

Moral of the story

Slide 26

Slide 26 text

To security researchers Dig deeper as much as you can Be a good user of the application first Understand each and every feature Read the documentation Last but not least, THINK DIFFERENT

Slide 27

Slide 27 text

To developers Never assume that the user will follow the normal flow Apply check on server side too Make sure that the application logic goes parallel to the one mentioned in the documentation Sometimes get in the shoes of the attacker too.

Slide 28

Slide 28 text

Connect with me https://www.linkedin.com/in/prateek-thakare/ https://twitter.com/thakare_prateek Linkedin Twitter

Slide 29

Slide 29 text

Any questions?

Slide 30

Slide 30 text

No content