In this article, we will explore Business Logic Vulnerabilities. Every web application has its own business logic. For example, what is Amazon’s business logic? Amazon’s business logic revolves around a customer visiting the website, adding products to their cart, and proceeding to the checkout to make a purchase. That’s the essence of business logic. Every application has some form of business logic at its core.
Business Logic Vulnerabilities
Now, let’s talk about Business Logic Vulnerabilities. I’ll give you an example to help you understand. Imagine a user comes to Amazon and intercepts a request while purchasing a product. After intercepting the request, they either manipulate the price to a negative value or reduce it significantly, causing the company to suffer heavy losses. This flaw is known as a business logic flaw or Business Logic Vulnerabilities.
Let me provide you with a few more examples to enhance your understanding:
Business Logic Vulnerabilities Example 1
Price Tampering – I have already explained this earlier. In price tampering, an attacker or user manipulates the price of a product during the purchase process for their own benefit.
Business Logic Vulnerabilities Example 2
Locking/Holding – On many websites, there is a limited quantity of products available. If someone adds a huge number of products to their cart and holds them, no one else can purchase those items. This results in the product going out of stock. This statement is also a business logic flaw. Websites mitigate this issue by setting a time limit. If a user does not proceed with the purchase within the set time, the system automatically logs them out or empties their cart. Some websites implement a feature, similar to Amazon, where users can purchase only a limited number of products at a time. These measures aim to protect against Business Logic Vulnerabilities.
Business Logic Vulnerabilities Example 3
You can also exploit business logic vulnerabilities through rewards. For example, let’s say someone has a coupon code. If you repeatedly use that coupon code in the same account, it becomes a flaw in the business logic.
Business logic exploits can be categorized as follows
Test Limits on the Number of Times a Function Can Be Used
Test Business Logic Data Validation
Data validation ensures that your data is valid at each step. For example, let’s say you’re adding a product to your cart on example.com and intercepting the request in Burp Suite. After intercepting, the endpoint looks something like example.com/addtocart=10. Now, if you change it to example.com/addtocart=-10 and the server side fails to validate it properly, it can lead to application vulnerabilities. Therefore, thorough testing of data validation is crucial to avoid generating Business Logic Vulnerabilities.
Test Ability to Forge Requests
This involves understanding whether a web application allows multiple users to access the same course or movie simultaneously. If you discover that multiple users can access it using shared cookies, it indicates a business logic flaw. Exploiting this flaw, users can forge requests and gain unauthorized access simultaneously. This is a form of business logic flaw that needs to be addressed.
Test Integrity Checks
In the context of integrity, there are three components known as the CIA Triad: Confidentiality, Integrity, and Availability. Here, we are focusing on the second component, integrity. Integrity ensures that data sent by one user to another remains intact without any modification by a third party. It means that the request should be sent correctly, and the recipient should receive the exact data sent by the sender. If someone can capture and modify the request in the middle, it indicates a lack of integrity checks. If integrity checks are not properly implemented, it can lead to Business Logic Vulnerabilities.
Test for Process Timing
Process timing refers to the time it takes for certain actions to occur. For example, let’s say Apple is launching the iPhone 15 today, and during the launch, someone launches a DDoS attack on their website, causing it to go down. This results in heavy losses for Apple. Such flaws, where something should be available at a specific time but is not, are considered Business Logic Vulnerabilities. The testing process timing is essential to identify vulnerabilities and patch them accordingly.
Testing the Upload of Malicious Files
Testing the upload of malicious files involves a significant vulnerability known as a file upload vulnerability. If the file upload function is not adequately validated, an attacker can easily upload a malicious web shell to your website, potentially compromising your entire server.
We have written articles on 13 business logic vulnerabilities in PortSwigger Web Security Lab, covering basic to advanced concepts. Here are the links to all the articles:
- Excessive trust in client-side controls
- High-level logic vulnerability
- Inconsistent security controls
- Flawed enforcement of business rules
- Low-level logic flaw
- Inconsistent handling of exceptional input
- Weak isolation on dual-use endpoint
- Insufficient workflow validation
- Authentication bypass via flawed state machine
- Infinite money logic flaw
- Authentication bypass via encryption Oracle
Tools Used to Test Business Logic Vulnerabilities
Request Maker is a pen-testing tool that allows you to capture requests made by web pages. Once you captured the request, you can tamper with URLs, headers, post data, and even create new requests.
Edit this Cookies Extension
Edit this Cookies Extension is a cookie manager extension for the Chrome browser. It enables you to edit, search, protect, and block cookies.
Swap my Cookies Extension
Swap My Cookies Extension is a Chrome extension that serves as a session manager. It helps manage cookies, allowing multiple users to log in to a website using different sessions.
Smart Session Extension
Smart Session Extension is a Chrome extension that automatically saves multiple sessions. It allows you to run multiple active sessions within the same browser, with sessions saved in the same tab. You can use it in incognito mode too.