Business Logic Vulnerabilities: The issues we often miss

Transcript

1. Business Logic Vulnerabilities The issues we often miss...

2. ~whoami Associate Security Consultant at Payatu Synack Red Team member

   (Level 3) A noob Lifetime learner

3. I am not an expert, am a learner like you

   all Thoughts and views expressed in the talk are of my own and not necessarily of any organization. Disclaimer

4. Agenda Briefing Business Logics vulnerabilities How it starts? The Hidden

   Gems Sometimes its only about the flow... Do you only rely on client side controls? Targeting features in the application Moral of the story

5. Business Logic Vulnerabilities Every application out there has a purpose.

   With purpose, there is an associated business. To carry out business, the application works on some underlying logic. This logic can be abused to cause some unintended behavior. This is where business logic issues take birth.

6. How it starts? Finding purpose Understanding the application The heat

   is always at the core

7. Evey application out there is serving some purpose. Banking websites

   are serving the purpose of managing money, loans, digital funds, your cards, etc Applications like teams & slack are helping you communicate. If we look carefully, THERE IS PURPOSE EVERYWHERE, even in your life. Understanding the purpose of the application helps you understand the underlying business. This ultimately helps you understand the logic. Finding purpose

8. Don't start offensive... Get into the application as much as

   you can. Browse the application normally. Find purpose of every functionality. Be a GOOD USER FIRST. Understanding the application

9. The heat is always at the core Get into the

   depth of the application Understand every feature Browse through every functionality Learn the purpose of every page, button, feature etc. Study the flow of data. Observe the flow of requests. Get as much DEEP as you can.

10. Many applications have official documentation or help sections These are

    the hidden gems to get better understanding of the application. They also serve as proof for your claims. The Hidden Gems The Documentation

11. The myth: Users will always follow the flow decided by

    developers Analyse the flow of requests, many times you can break them. Look how the data flows from and through each of them. Sometimes its only about the flow.....

12. Scenario Time.. Banking Website Account registation Review information

13. Scenario Time.. Impact? Replaying POST request Information Updated Override verified

    details Crucial issue for banking application Attacker can update details at any point.

14. Do you rely on client side controls? Weak Client Side

    controls Many times restrictions are only on frontend The issues can sometimes be escalated to access controls too impacting the integrity. Try to change every bit of data which is restricted from frontend.

15. Scenario Time.. HR management portal Personal information page The information

    showed supervisor assigned to user Supervisor cannot be edited by user

16. Changed id in the request Supervisor changed Impact User can

    change his own supervisor. Impacting access control rules imposed.

17. One more.. Train ticket booking portal Ticket validity 7days or

    24 hrs (fixed) End of validity locked Can be changed via post request

18. Impact

19. One more... Banking website Had different types of account Some

    of them were only entitled for one way transaction When user tried to do a transaction using it, the application responded with - "You cannot transfer from this account"

20. POST request contained account numbers Changing them allowed the transfer

    Impact Allows user to transfer to/from restricted accounts.

21. Targeting features in application Many applications offer a wide range

    of features. When deeply looked into these features, there can be many test cases to abuse the functionality Some features show their full power when data is provided, try to populate this data. Read documentation related to the feature. Try to become a good user of the application

22. Scenario Time.. Patient Management Portal Collects personal and medical data

    Asks consent of the user to share data Does not allow user to proceed further without signing it Once signed it cannot be revoked and signature can be seen in consent tab.

23. Signature was sent like this Consent was revoked when the

    same endpoint was hit with empty body Impact User can revoke the consent given. Impact business logic implemented

24. One more... #1463028 Doc management platform Admin can delete any

    doc Users cannot view/download after the doc gets deleted User creates shortcut of the doc and adds it to a folder User can download the folder as zip. The deleted file also gets downloaded

25. Moral of the story

26. To security researchers Dig deeper as much as you can

    Be a good user of the application first Understand each and every feature Read the documentation Last but not least, THINK DIFFERENT

27. To developers Never assume that the user will follow the

    normal flow Apply check on server side too Make sure that the application logic goes parallel to the one mentioned in the documentation Sometimes get in the shoes of the attacker too.

28. Connect with me https://www.linkedin.com/in/prateek-thakare/ https://twitter.com/thakare_prateek Linkedin Twitter

29. Any questions?

30. None