Editor's note: This is the first article in a six-part series by Chetan Conikee. We will publish the series in it's entirety within the next few days. To be notified when a new article in the series is published, "Join" the community in the bottom right hand corner of this page. By joining our community, you'll receive a free download of "Epic Failures in DevSecOps", including Chetan's chapter, "Strategic Asymmetry – Leveling the Playing Field between Defenders and Adversaries".
With increase in standards of technology in past decade, the complexity of a software applications has increased exponentially. Unfortunately, this has also increased the number of attacks that have been launched on such applications.
Attackers have reinvented their approach to explore newer vulnerabilities.
Vulnerabilities in applications can be classified into two broad categories
The first category of vulnerabilities are caused due to faulty input validation. This class of vulnerabilities is caused when an application depends on user input to trigger its critical functionality and these inputs are handled without proper sanitization of data.
Cross-site scripting and SQL Injection are good examples of this first category.
The second category of vulnerabilities is referred to as business logic flaws. It results from the faulty application logic. Consequently, a business logic flaw allows an attacker to misuse the application by circumventing the business rules of the application. These attacks are disguised as syntactically valid web requests that carry malicious intentions to violate the intended application logic.
An automated security scanner works fine for detecting the first category of vulnerabilities that have common characteristics across different applications. However, it falters when it comes to the detection of faulty logic vulnerabilities. It is because it is not programmed to understand the business domain workflow, logic of the programmer and ways in which a logic can be tampered with or bypassed.
Let us guide this narrative with a simple example
An e-commerce merchant, YYY.com sells electronic merchandize to consumers worldwide. The typical checkout process during fulfillment includes the following steps in sequence
An attacker carefully tracks the request/response through each of these stages prepares to induce a currency attack on this merchant.
At step (3), the attacker manipulates a currency related parameter in the POST request within the HTTP header and changes the currency type from `EU Pounds` to `US Dollars`. As a result the attacker was able to exploit this logic flaw by paying less for his/her order.
Is there a human assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?
Yes, such a system does exist. At the series finale I will reveal how this expert system can be utilized to identify such flaws.
Until then, onto my next installment in this series.