In the previous article we defined and discussed Business Logic Flaws and its inherent risks. In software design, all the web applications can be modeled as set of use cases and workflows.

A workflow or a use cases is a series of granular interactions between user and the system.

A business logic vulnerability is defined as security weakness or bug in the functional or design aspect of the application. Because the security weakness or bug is in the function or design, it is often missed by all existing automated web application scanners.

Listed is a loosely defined use case based taxonomies of business flaws coupled with scenarios and exploitive patterns

Category Scenarios/Recommendations Exploit Pattern
Abuse of Functionality Do not display full usernames on website Using exposed userName, lock a user out with brute force login attempts with incorrect password
Caution on code reuse Same code reused for user and admin password reset.
Do not define privilege levels based on which function is triggered; use the session for identity decisions Leave old password as blank during password reset and it's treated as admin password reset
Out of band or in-band deletion of audit trails Step 1: From admin account, create a second account and assign admin privileges. Step 2: From second account, delete audit trails from Step 1. Step 3: Perform malicious actions anonymously
Circumvention of workflow User can access steps in a multistage process out of order or skip steps; process should validate completion of prior step(s) Place online order, skip payment authorization (or use older authorization with low payment); proceed to fulfillment (shipping) merely by checking orderId and not recency of order in scope of session
Weak Password Recovery Validation Avoid secret questions with answers that could be discovered via publicly available information Secret question of verify known address, birth date, spouse name (public record information)
Password resets should involve out of band method Secret questions are easy to guess, attacker can gain immediate access to account
Predictable Resource Location Hidden URLs can be discovered Hidden webpage is created for future release (using feature flags) and information can be abused ahead of news release
Poor Input Validation User can add parameters and values that the function does not require; the function should handle this properly In a multistep online process, a hidden cost parameter is set for the later step. User can modify cost parameter (currency type) at an early step to get lower price
Insufficient Process Validation Input should be verified both at initial content submission, and if that content is edited at a later time Comment screened at submission, but not when edited. Edited comment includes inappropriate text or malicious code.
When decisions are made based on specific criteria, verify the criteria at the final step of the process, in case it has changed Add items to shopping cart to receive discount. Remove items before paying, but discount remains.
Verify submission time against any input constraints Place order on stock exchange website at time A, but don’t finalize it. At time B, check if price is now higher. Finalize submission, but pay price from time A.
Parameter Tampering (Insecure direct object reference) Send notification status with embedded URI in email with a direct object reference to database id Email contains link with order status (predictable sequence) enabling the attacker to change sequence and look at order initiated by any user(s)
Information Leakage Idenity if PII/PHI information is existing trust boundaries without encryption/redaction/obfuscation Is sensitive data leaking to logfile(s), 3rd party SaaS vendors
Undisciplined exception propagation (rethrowing application exception up the call chain) thus eventually being displayed to the end user Printed error message can contain hostname, database credentials, database type, application server stack, etc.
If searching is allowed but the content is protected (behind a paywall or session), assume any information that is displayed can be used Contents of search results are behind a paywall, but number of results found is still displayed. Use complex search terms to find if results exist. (Ex. “Company X” “Date” Acquired company Y”) - returns 1 result

The taxonomy above can also be categorized by business domain function

Order Management (E-Commerce)

  • Possibility of Price manipulation during order placement.
  • Possibility of manipulating the shipping address after order placement.
  • Absence of Mobile Verification for Cash-on-Delivery orders.
  • Obtaining cash-back/refunds even after order cancellation.
  • Non deduction of discounts offered even after order cancellation

Ticket booking (Services)

  • Possibility of illegitimate ticket blocking for certain time using automation techniques.
  • No CSRF protection on Ticket Cancellation Option.
  • Client side validation bypass for max seat limit on a single order.
  • Bookings/Reservations using fake a/c info.
  • Usage of Burner (Disposable) phones for verification.

Coupons (E-Commerce)

  • Coupon Redemption possibility even after order cancellation.
  • Bypass of coupon's terms & conditions.
  • Bypass of coupon's validity.
  • Usage of multiple coupons for the same transaction
  • Predictable Coupon codes.
  • Failure of re-computation in coupon value after partial order cancellation.
  • Bypass of coupon's validity date.
  • Illegitimate usage of coupons with other products.

Payment Gateway Integration (E-Commerce, Payment providers, Fin-tech)

  • Price modification at client side with negative values.
  • Price modification at client side with varying price values.
  • Call back URL manipulation.
  • Checksum bypass.
  • Possibility of price manipulation at Run Time.
  • Reuse of existing auth/captureId with lower amount (no verification of product cost/date to transaction cost/date)

Notification System (All categories)

  • Predictable Callback API.
  • Unencrypted HTTP APIs for SMS gateways.
  • HTTP calls to Gateway vendors can respond with malicious content.
  • Predictable unsubscribe email link.
  • Malicious bounced back email (which can be easily forged) can mark E-mail delivery as failed.
  • Deletion of messages containing historical messages with sensitive data.
  • Security of stored password related to SMS / Email gateways.
  • Bug in State machine related message delivery. Imagine a forged message delivery mark a successfully delivered message state to failed.
  • Forge a bounce email and increase the credit limit.
  • Spam emails to block email servers.

Bypass Captcha Implementation (All Categories)

  • Captcha value is bound to the session, and not the parameters that need to be protected.
  • Validation is not performed in absence of captcha parameter.
  • Reusable captcha value.
  • Only length or presence of captcha parameter being validated but not the actual value.
  • Changing user agent bypasses captcha validation.

Bypass CSRF Protected (All Categories)

  • Non validated tokens.
  • Only token length validated.
  • Partial token validation with not enough entropy.
  • Token reuse.
  • Cross user session token can be used.
  • Weak / predictable tokens.
  • Email hash used as token.

File Management Logical Bugs (All Categories)

  • Type of file uploaded is not limited to types that are needed as per business rules
  • Uploaded file type validation depends only on HTTP Content-Type Header value
  • Uploaded file type validation depends only on file extension
  • Uploaded files are saved in the same web context as the application. Files should either go to the content server or the database
  • Upload of a file possible that may be interpreted by the web server
  • Execution privilege is set on file upload directories
  • When referring existing files, white list approach of allowed file names and types is not used.
  • Application is sending the absolute file path to the client.
  • Application files and resources are writable or executable.
  • User uploaded files are not scanned for viruses and malware

Growth Hacking - API routes

RULE based - Guidelines for the use of the C/C++ languages in critical systems

  • MISRA
  • AUTOSAR
  • CERT
  • Ability to analyze Tensor (Python) modules [and/or] CUDA C++ models