Business Logic

Extracting out unintended behavior through business design flaws.

Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to extract unintended behavior.

This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.

Excessive trust in client-side controls (without server-side validation)

Change and test all parameters of HTTP requests.

Failing to handle unconventional input

Find bugs

1) Are there any limits that are imposed on the data? 2) What happens when you reach those limits? 3) Is any transformation or normalization being performed on your input?

Example:

Consider a funds transfer between two bank accounts.

This functionality will almost certainly check whether the sender has sufficient funds before completing the transfer:

$transferAmount = $_POST['amount'];
$currentBalance = $user->getBalance();

if ($transferAmount <= $currentBalance) {
    // Complete the transfer
} else {
    // Block the transfer: insufficient funds
}

Solve:

Sent -$1000 to the victim's account, this might result in them receiving $1000 from the victim instead.

Example of integer overflow

Send a very big integer for number of your order for example: productId=10&redir=PRODUCT&quantity=999999999999.
As a result, the value has looped back around to the minimum possible value ($ -2,147,483,648).
Try to change minimum price to cheap value ($20).
Buy your expensive order.

Example:

Attacker has a mail server, its domain is: attacker.com.
Target site, is a '/admin' path for users that has a foo.com email like: bar@foo.com.
Max length of email address is 255 character.

Attacker can create an email like: aaaaa...aaaaa@foo.com[255-char-len].attacker.com.

Server of target site send confirm email to aaa...aaa@foo.com.attacker.com but it save this email for Attack: aaaaa...aaaaa@foo.com.
Then Attacker can access to /admin path in his dashboard.

Note
Trusted users won't always remain trustworthy.
Users won't always supply mandatory input.
Users won't always follow the intended sequence.
Providing an encryption method (For example check and find formula of each cookie and try to create admin cookie).

PreviousDirectory Traversal NextAuthentication

Last updated 5 months ago

Failing to handle unconventional input

Find bugs

1) Are there any limits that are imposed on the data? 2) What happens when you reach those limits? 3) Is any transformation or normalization being performed on your input?

Example:

Consider a funds transfer between two bank accounts.

This functionality will almost certainly check whether the sender has sufficient funds before completing the transfer:

$transferAmount = $_POST['amount'];
$currentBalance = $user->getBalance();

if ($transferAmount <= $currentBalance) {
    // Complete the transfer
} else {
    // Block the transfer: insufficient funds
}

Solve:

Sent -$1000 to the victim's account, this might result in them receiving $1000 from the victim instead.

Example of integer overflow

Send a very big integer for number of your order for example: productId=10&redir=PRODUCT&quantity=999999999999.

As a result, the value has looped back around to the minimum possible value ($ -2,147,483,648).

Try to change minimum price to cheap value ($20).

Buy your expensive order.

Example:

Attacker has a mail server, its domain is: attacker.com.

Target site, is a '/admin' path for users that has a foo.com email like: bar@foo.com.

Max length of email address is 255 character.

Attacker can create an email like: aaaaa...aaaaa@foo.com[255-char-len].attacker.com.

Server of target site send confirm email to aaa...aaa@foo.com.attacker.com but it save this email for Attack: aaaaa...aaaaa@foo.com.

Then Attacker can access to /admin path in his dashboard.

Note

Trusted users won't always remain trustworthy.
Users won't always supply mandatory input.
Users won't always follow the intended sequence.
Providing an encryption method (For example check and find formula of each cookie and try to create admin cookie).