50 Common Logical Vulnerabilities found in Web

Applications


Currently web application security focuses on Secure Protocols, Cryptography, and
detecting and mitigating vulnerabilities found by commercial or open source automated
scanners. Some examples of such vulnerabilities include SQL Injection, XSS, CSRF,
Weak Session Management etc. However, often vulnerabilities in business logic of the
applications are ignored that can be leveraged by malicious users. In this article, we
describe 50 common Logical vulnerabilities found in Web Applications.


What is a Business Logic Vulnerability?

In software design, all the web applications can be modeled as set of use cases and
workflows. A workflow or a use cases is a series of granular interactions between user
and the system.

A business logic vulnerability is defined as security weakness or bug in the functional or
design aspect of the application. Because the security weakness or bug is in the
function or design, it is often missed by all existing automated web application scanners.

For example, booking a Movie ticket involves steps consisting of

Search and select a movie
View available seats
Select seats
Select No. of seats to be booked. (Same No. of seats will be blocked for other
users for 5 minutes.)
Fill up credit card details and go to Payment Gateway
Success or Failure Confirmation.

Even in the above simplest use case, there is a significant attack surface of logical
vulnerabilities that needs to be tested by penetration testers.









Why Business Logic Vulnerabilities are hard to detect?

Most of the automated scanners, currently available in the Industry, detect
vulnerabilities that are recognizable by signatures and well-researched exploitation
vector. By contrast, aws in an applications logic are harder to characterize; each
instance may appear to be a unique one-o occurrence, and they are not usually
identied by any automated vulnerability scanners. As a result, they are not generally as
well appreciated or understood & they are therefore of great interest to an attacker.

In the following section, we will present around 50 common business logic
vulnerabilities found in Web Applications. Our objective is to handover a valuable list of
logical vulnerabilities to application architects, designers, developers and testers to
mitigate business Logic Vulnerabilities during design and development phases of the
application itself.


50 Common Logical Vulnerabilities in Web Applications

For the sake of simplicity, we have divided the logical vulnerabilities by various modules
in the applications e.g. Order Management, Coupons, Payment Notification System etc.

Order Management:
1: Possibility of Price manipulation during order placement.
2: Possibility of manipulating the shipping address after order placement.
3: Absence of Mobile Verification for Cash-on-Delivery orders.
4: Obtaining cash-back/refunds even after order cancellation.
5: Non deduction of discounts offered even after order cancellation

Ticket Booking:
1: Possibility of illegitimate ticket blocking for certain time using automation techniques.
2: No CSRF protection on Ticket Cancellation Option.
3: Client side validation bypass for max seat limit on a single order.
4: Bookings/Reservations using fake a/c info.
5: Usage of Burner (Disposable) phones for verification.

Coupons:
1: Coupon Redemption possibility even after order cancellation.
2: Bypass of coupon's terms & conditions.
3: Bypass of coupon's validity.
4: Usage of multiple coupons for the same transaction.
5: Predictable Coupon codes.
6: Failure of re-computation in coupon value after partial order cancellation.
7: Bypass of coupon's validity date.
8: Illegitimate usage of coupons with other products.

Payment Gateway Integration:
1: Price modification at client side with negative values.
2: Price modification at client side with varying price values.
3: Call back URL manipulation.
4: Checksum bypass.
5: Possibility of price manipulation at Run Time.

Notification System:
1: Predictable Callback API.
2: Unencrypted HTTP APIs for SMS gateways.
3: HTTP calls to Gateway vendors can respond with malicious content.
4: Predictable unsubscribe email link.
5: Malicious bounced back email (which can be easily forged) can mark E-mail delivery
as failed.
6: Deletion of messages containing historical messages with sensitive data.
7: Security of stored password related to SMS / Email gateways.
8: Bug in State machine related message delivery. Imagine a forged message delivery
mark a successfully delivered message state to failed.
9: Forge a bounce email and increase the credit limit.
10: Spam emails to block email servers.

Bypass Captcha Implementation:
1. Captcha value is bound to the session, and not the parameters that need to be
protected.
2. Validation is not performed in absence of captcha parameter.
3. Reusable captcha value.
4. Only length or presence of captcha parameter being validated but not the actual
value.
5. Changing user agent bypasses captcha validation.




Bypass CSRF Protected:
1. Non validated tokens.
2. Only token length validated.
3. Partial token validation with not enough entropy.
4. Token reuse.
5. Cross user session token can be used.
6. Weak / predictable tokens.
7. Email hash used as token.


File Management Logical Bugs:
1. Type of file uploaded is not limited to types that are needed as per business rules
2. Uploaded file type validation depends only on HTTP Content-Type Header value
3. Uploaded file type validation depends only on file extension
4. Uploaded files are saved in the same web context as the application. Files should
either go to the content server or the database
5. Upload of a file possible that may be interpreted by the web server
6. Execution privilege is set on file upload directories
7. When referring existing files, white list approach of allowed file names and types is
not used.
8. Application is sending the absolute file path to the client.
9. Application files and resources are writable or executable.
10. User uploaded files are not scanned for viruses and malware


About IViZ:

iViZ Security is industry's first cloud-based penetration testing service for web
applications. Unlike the scanners which lack in quality and the consultants who are
expensive, iViZ delivers consultant grade quality testing in SaaS based, cost effective
subscription model. iViZ provides "Zero False Positive Guarantee", 100% coverage of
all WASC classes with business logic testing by leveraging its patent pending "hybrid
approach" that integrates automation with manual testing by security experts.
For more information please visit: http://www.ivizsecurity.com/