Friday, March 2, 2018

Attack Execution-Business Logic

March 02, 2018 0
Image associée

Attacking business logic is one of the methods used to compromise a web application noting that discovering a logical flaw is a hard task because this kind of flaws does not have a specific signature as other types of vulnerabilities and it can be totally different from one application to another but attacker can try a set of possible vulnerabilities that might exist in the probed application.

1- Encrypt and disclose the key: Using the same encryption for two pair of information one is visible and the other is not. An example about that might appear in (remember me) functionality where the developer implements the same encryption key for a cookie containing session ID information and what is called screen name (the user name shown on screen). 
The main problem in the logic is that the attacker can tamper and replay what is encrypted and protected. This actually is not the problem of weak encryption but the usage of the same key with value that is visible (the screen name) which makes it easy for attacker to predict the used key and unlock the encryption of the Session ID information.   

2- Overloading dual privileges: Implementing an overloaded method for password change for administrators and normal users depending on the existence of the (old password parameter) which gives the attacker the ability to use non valid parameter list to be routed to administrator’s version.

3- Multistage manipulation: Sometimes the developer makes a bad assumption that user will follow all steps in a multistage task in the right sequence but this is not always the case as an attacker can manipulate the client to avoid passing through a specific stage which will cause sometimes a great damage.an example about this attack is manipulating a sequence parameter that hold the current stage in purchasing multistage task to purchase a digital content without passing in payment phase. 

4- Overlapped checks: Another case is the case where the business logic does not consider out of band inputs for all methods related to same input. an example is a banking web application containing transfer method dedicated to do the transfer and a pre-check method to restrict transfers for amounts higher than (10,000$) and route such transfers to be approved by senior manager. The pre-checked method considers only the check for a number higher than 10,000$ so the flaw was that even a negative number will pass through that test and the negative value will go directly to the transfer method that takes the absolute value of the number so if somebody tries to transfer (-900,0000$) the transfer will be authorized with no senior manager review. 

5- Bulk but for a while: A scenario where attacker can get benefit from bulk purchase then purchase only one item is also a flaw based on the assumption that the user will send the full list of purchased product after getting the discount. 

6- Forgotten escape: this attack is based on the assumption that a sanitization method is available and will prevent all malicious characters that might cause a problem but the developer forgot the escape which itself does not represent a problem but escaping the escape by the mean of disable the sanitization functionality. An example is the usage of an input like ( whatever \;ls ) in this case the sanitization will turn the clean input to poisoned one ( whatever \\;ls ) which will reactivate the semicolon malicious effect. 

7- Defence+Defence=? : sometimes the intersection of two defense mechanisms can be used by the attacker to initiate a successful attack. An example is the usage of an extra single quotation mark to escape a single quotation mark as a defense mechanism to prevent SQL injection, and truncation length limiter mechanism for input as a second mechanism to minimize the ability to enter unexpected amount of entry. The flaw resides in the usage of the second mechanism by the attacker to break the first. 

if the user login query was:

Select * from users where username=’user name’ and password=’password’;

Now if the attacker provides the a user name containing ( xxxxxxx….xxxx’) where 127(x) character is there and a password ( or 1=1--) the resulting query

Select * from users where username=’xxxx..xxx’’and password=’ or 1=1--’; 

Will break the login functionality as the extra added quotation by the first mechanism will be truncated by the second. 

8- Race condition: in the case of race condition the vulnerability appears only for a short period of time, it is hard to detect and reproduce, but it can open a door wildly if exploited. an example is the case of login function that mistakenly stores part of session information as a static information that are used as an identifier in other functionalities so if two users use the login functionality exactly in the same time there is a big chance that they can reach the functionalities that uses the static identifier. 
   
Mohamed Mestour

0 comments: