Logic Flaws

Business logic vulnerabilities | Web Security AcademyWebSecAcademy

//EXPLOITS

• Excessive trust in client-side controls

• Failing to handle unconventional input

• Making flawed assumptions about user behavior

• Domain-specific flaws

• Providing an encryption oracle

ENTRY

The discounting functionality of online shops is a classic attack surface when hunting for logic flaws. This can be a potential gold mine for an attacker, with all kinds of basic logic flaws occurring in the way discounts are applied.

What are business logic vulnerabilities?

In this context, the term "business logic" simply refers to the set of rules that define how the application operates. As these rules aren't always directly related to a business, the associated vulnerabilities are also known as "application logic vulnerabilities" or simply "logic flaws".

How do business logic vulnerabilities arise?

Business logic vulnerabilities often arise because the design and development teams make flawed assumptions about how users will interact with the application. These bad assumptions can lead to inadequate validation of user input. For example, if the developers assume that users will pass data exclusively via a web browser, the application may rely entirely on weak client-side controls to validate input. These are easily bypassed by an attacker using an intercepting proxy.

Excessive trust in client-side controls

Accepting data at face value, without performing proper integrity checks and server-side validation, can allow an attacker to do all kinds of damage with relatively minimal effort. Exactly what they are able to achieve is dependent on the functionality and what it is doing with the controllable data. In the right context, this kind of flaw can have devastating consequences for both business-related functionality and the security of the website itself.

Lab: Excessive trust in client-side controls

Lab: Excessive trust in client-side controls | Web Security AcademyWebSecAcademy

Lab: 2FA broken logic

Lab: 2FA broken logic | Web Security AcademyWebSecAcademy

Failing to handle unconventional input

One aim of the application logic is to restrict user input to values that adhere to the business rules. For example, the application may be designed to accept arbitrary values of a certain data type, but the logic determines whether or not this value is acceptable from the perspective of the business. Many applications incorporate numeric limits into their logic. This might include limits designed to manage inventory, apply budgetary restrictions, trigger phases of the supply chain, and so on.

Lab: High-level logic vulnerability

Lab: High-level logic vulnerability | Web Security AcademyWebSecAcademy

Lab: Low-level logic flaw

Lab: Low-level logic flaw | Web Security AcademyWebSecAcademy

Lab: Inconsistent handling of exceptional input

Lab: Inconsistent handling of exceptional input | Web Security AcademyWebSecAcademy

Making flawed assumptions about user behavior

//Trusted users won't always remain trustworthy Applications may appear to be secure because they implement seemingly robust measures to enforce the business rules. Unfortunately, some applications make the mistake of assuming that, having passed these strict controls initially, the user and their data can be trusted indefinitely. This can result in relatively lax enforcement of the same controls from that point on. If business rules and security measures are not applied consistently throughout the application, this can lead to potentially dangerous loopholes that may be exploited by an attacker.

Lab: Inconsistent security controls

Lab: Inconsistent security controls | Web Security AcademyWebSecAcademy

//Users won't always supply mandatory input

When probing for logic flaws, you should try removing each parameter in turn and observing what effect this has on the response. You should make sure to:

• Only remove one parameter at a time to ensure all relevant code paths are reached.

• Try deleting the name of the parameter as well as the value. The server will typically handle both cases differently.

• Follow multi-stage processes through to completion. Sometimes tampering with a parameter in one step will have an effect on another step further along in the workflow. This applies to both URL and POST parameters, but don't forget to check the cookies too. This simple process can reveal some bizarre application behavior that may be exploitable.

Lab: Weak isolation on dual-use endpoint

Lab: Weak isolation on dual-use endpoint | Web Security AcademyWebSecAcademy

Lab: Password reset broken logic

Lab: Password reset broken logic | Web Security AcademyWebSecAcademy

//Users won't always follow the intended sequence

For example, many websites that implement two-factor authentication (2FA) require users to log in on one page before entering a verification code on a separate page. Assuming that users will always follow this process through to completion and, as a result, not verifying that they do, may allow attackers to bypass the 2FA step entirely.

To identify these kinds of flaws, you should use forced browsing to submit requests in an unintended sequence. For example, you might skip certain steps, access a single step more than once, return to earlier steps, and so on. Take note of how different steps are accessed. Although you often just submit a GET or POST request to a specific URL, sometimes you can access steps by submitting different sets of parameters to the same URL. As with all logic flaws, try to identify what assumptions the developers have made and where the attack surface lies. You can then look for ways of violating these assumptions.

Note that this kind of testing will often cause exceptions because expected variables have null or uninitialized values. Arriving at a location in a partly defined or inconsistent state is also likely to cause the application to complain. In this case, be sure to pay close attention to any error messages or debug information that you encounter. These can be a valuable source of information disclosure, which can help you fine-tune your attack and understand key details about the back-end behavior.

Lab: 2FA simple bypass

Lab: 2FA simple bypass | Web Security AcademyWebSecAcademy

Lab: Insufficient workflow validation

Lab: Insufficient workflow validation | Web Security AcademyWebSecAcademy

Lab: Authentication bypass via flawed state machine

Lab: Authentication bypass via flawed state machine | Web Security AcademyWebSecAcademy

Domain-specific flaws

The discounting functionality of online shops is a classic attack surface when hunting for logic flaws. This can be a potential gold mine for an attacker, with all kinds of basic logic flaws occurring in the way discounts are applied.

You should pay particular attention to any situation where prices or other sensitive values are adjusted based on criteria determined by user actions. Try to understand what algorithms the application uses to make these adjustments and at what point these adjustments are made. This often involves manipulating the application so that it is in a state where the applied adjustments do not correspond to the original criteria intended by the developers.

Lab: Flawed enforcement of business rules

Lab: Flawed enforcement of business rules | Web Security AcademyWebSecAcademy

Lab: Infinite money logic flaw

Lab: Infinite money logic flaw | Web Security AcademyWebSecAcademy

Providing an encryption oracle

Dangerous scenarios can occur when user-controllable input is encrypted and the resulting ciphertext is then made available to the user in some way. This kind of input is sometimes known as an "encryption oracle". An attacker can use this input to encrypt arbitrary data using the correct algorithm and asymmetric key.

This becomes dangerous when there are other user-controllable inputs in the application that expect data encrypted with the same algorithm. In this case, an attacker could potentially use the encryption oracle to generate valid, encrypted input and then pass it into other sensitive functions.

This issue can be compounded if there is another user-controllable input on the site that provides the reverse function. This would enable the attacker to decrypt other data to identify the expected structure. This saves them some of the work involved in creating their malicious data but is not necessarily required to craft a successful exploit. The severity of an encryption oracle depends on what functionality also uses the same algorithm as the oracle.

Lab: Authentication bypass via encryption oracle

Lab: Authentication bypass via encryption oracle | Web Security AcademyWebSecAcademy

How to prevent business logic vulnerabilities

In short, the keys to preventing business logic vulnerabilities are to:

• Make sure developers and testers understand the domain that the application serves

• Avoid making implicit assumptions about user behavior or the behavior of other parts of the application

Its important to make sure that both developers and testers are able to fully understand these assumptions and how the application is supposed to react in different scenarios. This can help the team to spot logic flaws as early as possible. To facilitate this, the development team should adhere to the following best practices wherever possible:

• Maintain clear design documents and data flows for all transactions and workflows, noting any assumptions that are made at each stage.

• Write code as clearly as possible. If it's difficult to understand what is supposed to happen, it will be difficult to spot any logic flaws. Ideally, well-written code shouldn't need documentation to understand it. In unavoidably complex cases, producing clear documentation is crucial to ensure that other developers and testers know what assumptions are being made and exactly what the expected behavior is.

• Note any references to other code that uses each component. Think about any side-effects of these dependencies if a malicious party were to manipulate them in an unusual way.