It’s a vulnerability in the logic of application which allows the attacker to exploit a legitimate function to achieve a malicious goal.
This can happen by passing unexpected values into server-logic. This kind of vulnerabilities are unique to the application and can be extremely diverse. This makes them difficult to detect them through automatic scanners.
- ❔ How do business logic vulnerabilities arise? -> the development team doesn’t validate properly the input and make flawed assumptions about how users interacts with the application.
Logic flaws are common in overly complicated systems where developers doesn’t fully understand. For example in a big code bases, a developer may not have an intimate understanding of how all areas of the application work and then he makes flawed assumptions.
❔What is the impact? Logic flaws are a broad category and the impact is highly variable and depends on what functionalty it is related to.
When auditing an application, you should use tools such as Burp Proxy and Repeater to try submitting unconventional values. In particular, try input in ranges that legitimate users are unlikely to ever enter. This includes exceptionally high or exceptionally low numeric inputs and abnormally long strings for text-based fields. You can even try unexpected data types. By observing the application’s response, you should try and answer the following questions:
Are there any limits that are imposed on the data? What happens when you reach those limits? Is any transformation or normalization being performed on your input?
Example of flawed assumptions about user behavior
- First myth: once trustworthy, always trustworthy. Business rules and security measures must be applied consistently throughout the application
- Users won’t always supply mandatory input
- when probing for logic flaw, try to remove each paramter in turn and observe what effect this has on the reponse
- try both deleting the value, and try deleting the name and the value
- Users won’t always follow the intended sequence
- To identify these kinds of flaws, submit requests in an unitended sequence. For example, skip certain steps, access a single step more than once, return to earlier steps, and so on.
- Take note of how different steps are accessed.
- This kind of testing will often cause exceptions because expected variables have null or uninitialized values.
How to Avoid Business Logic Flaws
-> -> Input Validation <- <-
Also:
- Make sure the developer and testers understand the domain that the application serves.
- Avoid making implicit assumptions about user behavior or the behavior of other parts of the application.
- Follow development best practice and notice any assumptions that are made at each stage of data flows.