Web application security - the fast guide 1.1 | Page 129

Chapter 6 - Attack execution (2)
P a g e | 129
Attacking business logic is one of the methods used to compromise a web
application noting that discovering a logical flaw is a hard task because this kind
of flaws does not have a specific signature as other types of vulnerabilities and it
can be totally different from one application to another but attacker can try a set
of possible vulnerabilities that might exist in the probed application.
1- Encrypt and disclose the key: Using the same encryption for two pair of
information one is visible and the other is not.
An example about that might appear in (remember me) functionality
where the developer implements the same encryption key for a cookie
containing session ID information and what is called screen name (the
user name shown on screen).
The main problem in the logic is that the attacker can tamper and replay
what is encrypted and protected. This actually is not the problem of weak
encryption but the usage of the same key with value that is visible (the
screen name) which makes it easy for attacker to predict the used key and
unlock the encryption of the Session ID information.
2- Overloading dual privileges: Implementing an overloaded method for
password change for administrators and normal users depending on the
existence of the (old password parameter) which gives the attacker the
ability to use non valid parameter list to be routed to administrator’s
version.
3- Multistage manipulation: Sometimes the developer makes a bad
assumption that user will follow all steps in a multistage task in the right
sequence but this is not always the case as an attacker can manipulate the
client to avoid passing through a specific stage which will cause
sometimes a great damage.an example about this attack is manipulating a
sequence parameter that hold the current stage in purchasing multistage
task to purchase a digital content without passing in payment phase.
4- Overlapped checks: Another case is the case where the business logic
does not consider out of band inputs for all methods related to same
input. an example is a banking web application containing transfer
method dedicated to do the transfer and a pre-check method to restrict
transfers for amounts higher than (10,000$) and route such transfers to
be approved by senior manager. The pre-checked method considers only
the check for a number higher than 10,000$ so the flaw was that even a
negative number will pass through that test and the negative value will go
directly to the transfer method that takes the absolute value of the
number so if somebody tries to transfer (-900,0000$) the transfer will be
authorized with no senior manager review.
5- Bulk but for a while: A scenario where attacker can get benefit from bulk
purchase then purchase only one item is also a flaw based on the
assumption that the user will send the full list of purchased product after
getting the discount.