Más contenido relacionado
La actualidad más candente (20)
Similar a Anatomy of business logic vulnerabilities (20)
Anatomy of business logic vulnerabilities
- 1. Anatomy of Business Logic
Vulnerabilities
Bikash Barai, Co-Founder & CEO
Jan 2013 © iViZ Security Inc 0
- 2. About iViZ
• iViZ – Cloud based Application Penetration
Testing
– Zero False Positive Guarantee
– Business Logic Testing with 100% WASC (Web Application
Security Consortium) class coverage
• Funded by IDG Ventures
• 30+ Zero Day Vulnerabilities discovered
• 10+ Recognitions from Analysts and Industry
• 300+ Customers
• Gartner Hype Cycle- DAST and Application
Security as a Service
Jan 2013 © iViZ Security Inc 1
- 4. Understanding Business Logic
Vulnerability
• Business Logic Vulnerabilities are security flaws due
to wrong logic design and not due to wrong coding
• # Business Logic Vuln/App: 2 to 3 for critical Apps
• Only 5 to 10% of total vulnerabilities
• Difficult to detect but has the highest impact
Jan 2013 © iViZ Security Inc 3
- 6. Increasing your Bank Balance
• Impact
– You can increase your bank balance just by transferring
negative amount to somebody else
• How does it work?
– No server side validation of the amount field
– Sometime client side validations are there which can be
bypassed by manipulating “Data on Transit” (use
Webscarab, Burp Suite, Paros etc)
• How to fix?
– Add server side validations in the work flow
Jan 2013 © iViZ Security Inc 5
- 7. Buying online for free!
• Impact
– Buy air tickets (or anything that you like) at what ever price
you want!
• How does it work?
– Application does not validate the amount paid to the
payment gateway. Attacker can simply use the “Call back
URL” to get the payment success and product delivery.
• How to fix?
– Create validation process between the application and
payment gateway to know the exact amount transferred
Jan 2013 © iViZ Security Inc 6
- 8. Stealing one time passwords
• Impact
– You can the steal the One Time Password of another user
despite having access to their mobile, email etc
• How does it work?
– Application send the OTP to the browser for faster client
side validation and better user experience
• How to fix?
– Conduct server side validation. Do not send OTP to
browser.
Jan 2013 © iViZ Security Inc 7
- 9. Have unlimited discounts
• Impact
– You can enjoy unlimited discount
• How does it work?
– You can add 10 products to the cart and avail the standard
(e.g. 10%) discount
– Remove 9 products from cart after that but the application
still retains the discount amount
• How to fix?
– Re calculate discount if there is any change in the cart
Jan 2013 © iViZ Security Inc 8
- 10. Get 100% discount with 10%
discount Coupons
• Impact
– You can get 100% discount with a 20% discount coupon
• How does it work?
– Same coupon can be used multiple times during the same
transaction
• How to fix?
– Expire the coupon after the first use and not after the
session ends
Jan 2013 © iViZ Security Inc 9
- 11. Hijacking others account
• Impact
– You can hijack anybody’s (use your imagination) account.
• How does it work?
– Weak password recovery process
– Choose “Do not have access to registered email access”
option
– Brute force the answer to secret question.
• How to fix?
– Create stronger password recovery option
– Recovery links only over email
Jan 2013 © iViZ Security Inc 10
- 12. DOS your competition
• Impact
– You can stop others from buying products
• How does it work?
– You try to book a product and start the session but do not
pay
– Open millions of such threads and do not pay
– Application does not have “expiry time” or other validation
of IP etc
• How to fix?
– Session Time-Out, Anti-Automation and limit the number
of threads from a single IP (DDOS still possible)
Jan 2013 © iViZ Security Inc 11
- 14. How to detect?
• What helps?
– Threat Modeling and Attack surface Analysis
– Break down the key processes into work-flows/flow chart to detect
possible manipulations
– Penetration Testing with Business Logic Testing by Experts
– Design Review
• What does not help?
– Automated Testing with any tools (neither Static nor Dynamic)
– Testing conducted by a team with less expertise
– Standard Code review
Jan 2013 © iViZ Security Inc 13
- 15. How to prevent?
• Design the application/use case scenarios
keeping Business Logic Vulnerability in mind
• Conduct Security Design Reviews
• Independent /Third Party Tests (within or
outside the company)
• Comprehensive Pen Test with Business Logic
Testing before the Application goes live
Jan 2013 © iViZ Security Inc 14
- 17. Top Free Online Resources
• Checklist for Business Logic Vuln:
http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html
• OWASP :
https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP-
BL-001)
• Webscarab:
https://www.owasp.org/index.php/OWASP_WebScarab_Project
Jan 2013 © iViZ Security Inc 16
- 18. After 7 Sins..
Now be prepared for Karma!
Jan 2013 © iViZ Security Inc 17
- 19. How to be bankrupt in a day?
• Denial of Dollar Attack!
• “Piratebay” founder proposed launching this
attack on the law firm which fought against
him
• Example working model:
– Send 1 cent online transaction to the law firm
account. Bank deducts 1 Dollar as transaction fee.
– Send millions of “1 Cent transaction”
Jan 2013 © iViZ Security Inc 18
- 21. Thank You
bikash@ivizsecurity.com
Blog: http://blog.ivizsecurity.com/
Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669
Twitter: https://twitter.com/bikashbarai1
Jan 2013 © iViZ Security Inc 20