Discovering Business Logic Flaws - Act 1

Mar 15, 2019 12:10:51 PM By Chetan Conikee
Act 1 - What is a business logic flaw - Featured Image

Editor's note: This is the first article in a six-part series by Chetan Conikee. We will publish the series in it's entirety within the next few days. To be notified when a new article in the series is published, "Join" the community in the bottom right hand corner of this page. By joining our community, you'll receive a free download of "Epic Failures in DevSecOps", including Chetan's chapter, "Strategic Asymmetry – Leveling the Playing Field between Defenders and Adversaries".

Act 1 — What is a business logic flaw?

With increase in standards of technology in past decade, the complexity of a software applications has increased exponentially. Unfortunately, this has also increased the number of attacks that have been launched on such applications.

Attackers have reinvented their approach to explore newer vulnerabilities.

Vulnerabilities in applications can be classified into two broad categories

  1. Those that have common characteristics across different applications
  2. Those that are specific to an application and business domain.

The first category of vulnerabilities are caused due to faulty input validation. This class of vulnerabilities is caused when an application depends on user input to trigger its critical functionality and these inputs are handled without proper sanitization of data.

Cross-site scripting and SQL Injection are good examples of this first category.

The second category of vulnerabilities is referred to as business logic flaws. It results from the faulty application logic. Consequently, a business logic flaw allows an attacker to misuse the application by circumventing the business rules of the application. These attacks are disguised as syntactically valid web requests that carry malicious intentions to violate the intended application logic.

An automated security scanner works fine for detecting the first category of vulnerabilities that have common characteristics across different applications. However, it falters when it comes to the detection of faulty logic vulnerabilities. It is because it is not programmed to understand the business domain workflow, logic of the programmer and ways in which a logic can be tampered with or bypassed.

An Example

Let us guide this narrative with a simple example

Discovering Business Logic Flaws - Act 1 - Image 01

An e-commerce merchant, sells electronic merchandize to consumers worldwide. The typical checkout process during fulfillment includes the following steps in sequence

  1. User picks one or more items and adds to basket
  2. User then heads to order page to initiate purchase
  3. User pushes purchase or checkout button
  4. Merchant sends order and customer information to it’s partner payments processor (for authorization and capture)
  5. Payments processor returns transaction-id back to Merchant
  6. Merchant displays confirmation details on fulfillment page to consumer

An attacker carefully tracks the request/response through each of these stages prepares to induce a currency attack on this merchant.

At step (3), the attacker manipulates a currency related parameter in the POST request within the HTTP header and changes the currency type from `EU Pounds` to `US Dollars`. As a result the attacker was able to exploit this logic flaw by paying less for his/her order.

Discovering Business Logic Flaws - Act 1 - Image 02

How can such flaws be avoided?

Is there a human assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?

Yes, such a system does exist. At the series finale I will reveal how this expert system can be utilized to identify such flaws.

Until then, onto my next installment in this series.