Attacking business logic is one of the methods used to compromise a web
application noting that discovering a logical flaw is a hard task because this kind
of flaws does not have a specific signature as other types of vulnerabilities and it
can be totally different from one application to another but attacker can try a set
of possible vulnerabilities that might exist in the probed application.
1- Encrypt and disclose the key: Using the same encryption for two pair of
information one is visible and the other is not.
An example about that might appear in (remember me) functionality
where the developer implements the same encryption key for a cookie
containing session ID information and what is called screen name (the
user name shown on screen).
The main problem in the logic is that the attacker can tamper and replay
what is encrypted and protected. This actually is not the problem of weak
encryption but the usage of the same key with value that is visible (the
screen name) which makes it easy for attacker to predict the used key and
unlock the encryption of the Session ID information.
2- Overloading dual privileges: Implementing an overloaded method for
password change for administrators and normal users depending on the
existence of the (old password parameter) which gives the attacker the
ability to use non valid parameter list to be routed to administrator’s
version.
3- Multistage manipulation: Sometimes the developer makes a bad
assumption that user will follow all steps in a multistage task in the right
sequence but this is not always the case as an attacker can manipulate the
client to avoid passing through a specific stage which will cause
sometimes a great damage.an example about this attack is manipulating a
sequence parameter that hold the current stage in purchasing multistage
task to purchase a digital content without passing in payment phase.
4- Overlapped checks: Another case is the case where the business logic
does not consider out of band inputs for all methods related to same
input. an example is a banking web application containing transfer
method dedicated to do the transfer and a pre-check method to restrict
transfers for amounts higher than (10,000$) and route such transfers to
be approved by senior manager. The pre-checked method considers only
the check for a number higher than 10,000$ so the flaw was that even a
negative number will pass through that test and the negative value will go
directly to the transfer method that takes the absolute value of the
number so if somebody tries to transfer (-900,0000$) the transfer will be
authorized with no senior manager review.
5- Bulk but for a while: A scenario where attacker can get benefit from bulk
purchase then purchase only one item is also a flaw based on the
assumption that the user will send the full list of purchased product after
getting the discount.
6- Forgotten escape: this attack is based on the assumption that a
sanitization method is available and will prevent all malicious characters
that might cause a problem but the developer forgot the escape which
itself does not represent a problem but escaping the escape by the mean
of disable the sanitization functionality. An example is the usage of an
input like ( whatever \;ls ) in this case the sanitization will turn the clean
input to poisoned one ( whatever \\;ls ) which will reactivate the
semicolon malicious effect.
7- Defence+Defence=? : sometimes the intersection of two defense
mechanisms can be used by the attacker to initiate a successful attack. An
example is the usage of an extra single quotation mark to escape a single
quotation mark as a defense mechanism to prevent SQL injection, and
truncation length limiter mechanism for input as a second mechanism to
minimize the ability to enter unexpected amount of entry. The flaw
resides in the usage of the second mechanism by the attacker to break the
first.
if the user login query was:
Select * from users where username=’user name’ and password=’password’;
Now if the attacker provides the a user name containing ( xxxxxxx….xxxx’) where 127(x) character is there and a password ( or 1=1--) the resulting query
Select * from users where username=’xxxx..xxx’’and password=’ or 1=1--’;
Will break the login functionality as the extra added quotation by the first
mechanism will be truncated by the second.
8- Race condition: in the case of race condition the vulnerability appears
only for a short period of time, it is hard to detect and reproduce, but it
can open a door wildly if exploited.
an example is the case of login function that mistakenly stores part of
session information as a static information that are used as an identifier
in other functionalities so if two users use the login functionality exactly
in the same time there is a big chance that they can reach the
functionalities that uses the static identifier.
0 comments: