Exploiting Business Logic Vulnerabilities
Follow
Nov 29 · 3 min read
Business Logic Vulnerabilities in web applications are not new, but these vulnerabilities are extremely varied and too often untested. Testing for business logic flaws in today’s multi-functional dynamic web applications requires lateral thinking, systematic probing and unconventional methods.
Hello Fellow Hackers & Security Enthusiasts, I’m back again with a new Bugbounty Writeup. In this article, I’ll be sharing some of my recent findings where I’ve dealt with some Business Logic Flaws in the application. So, let’s start with understanding the vulnerability first.
What are Business Logic Vulnerabilities?
Business logic vulnerabilities are flaws in the design and implementation of an application that allows an attacker to elicit unintended behaviour. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.
Image Source : PortSwigger
https://www.un.org/sites/www.iamladp.org/files/webform/beer-v-pack-rx-t2.html
https://www.un.org/sites/www.iamladp.org/files/webform/beer-v-pack-rx-t1.html
https://www.un.org/sites/www.iamladp.org/files/webform/beer-v-pack-rx-t3.html
As I always like to hunt for business logic flaws along with technical vulnerabilities because these vulnerabilities carry a high impact on the target application. Recently, I encountered some of the logic-based vulnerabilities while testing a private application.
1. Critical Parameter Manipulation or Logical Data Validation
The application had logical validation at the front end but not on the server-side. The application is verifying data locally that left the application vulnerable to data tampering through Burp proxy or by manipulating client-side code.
The Attack:
The target was an E-Commerce application which was storing the prices of the products within hidden form fields so that one can not edit the price from the front end. But at the time of Checkout, an attacker was able to manipulate the product’s price by tampering the request with Burp Suite.
The interesting part of this vulnerability was that the application was accepting the product’s price in Negative values also.
