Open in app

Sign in

Write

Sign in

Business Logic Flaws

gayatri r
2 min readMay 23, 2020

--

Vulnerability Category: NA

Vulnerability Description: Most security problems are weaknesses in an application that result from a broken or missing security control (authentication, access control, input validation, etc…). By contrast, business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. For example:

● Purchase orders are not processed before midnight

● Written authorization is not on file before web access is granted

● Transactions in excess of $2000 are not reviewed by a person

Impact: Business logic flaws are often the most critical in terms of consequences, as they are deeply tied into the company’s process.

Recommendation:

● Use detailed and thorough requirements, for both functionality and security.

● During development, the design of the application should be reviewed.

● Include audit trails, and log everything

● If the application is web-based, let the server control the logic of an application, instead of the client , since an attacker can’t bypass logic on the server side as easily

Severity : Critical

CVSS v3.0 Score: 9.9

CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

How to Test:

1) Check for Time-of-Check-time-of-use and race condition issues

● Try to fire the transaction request in the web application at same time

● Try to open the check out page one with less price item and one with high price item in the cart, then perform transaction on the less price item page and check whether the high price item also included in it.

● Change the order after payment completion

2) Parameter Manipulation

● Price Manipulation

● Currency Manipulation (if it is in USD/Eur try to change in INR)

● Quanity Manipulation ( by providing values such 0.01 in decimal form)

● Response Manipulation

● Replay attacks

3) Hidden and Insecure backend API’s

4) Using test data in production environment

Tools to Use:

  1. Burp Suite ( Repeater Tab and proxy)

Note: If i wrote any mistakes in my posts please notify me I will rectify and learn more about it

--

--

gayatri r
gayatri r

Written by gayatri r

445 Followers
213 Following

Simple human being

Responses (2)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams