You are on page 1of 21

Anatomy of Business Logic Vulnerabilities

Bikash Barai, Co-Founder & CEO

Jan 2013

iViZ Security Inc

About iViZ
iViZ Cloud based Application Penetration Testing
Zero False Positive Guarantee Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage

Funded by IDG Ventures 30+ Zero Day Vulnerabilities discovered 10+ Recognitions from Analysts and Industry 300+ Customers Gartner Hype Cycle- DAST and Application Security as a Service
iViZ Security Inc
1

Jan 2013

Understanding Business Logic Vulnerabilities

Jan 2013

iViZ Security Inc

Understanding Business Logic Vulnerability


Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding # Business Logic Vuln/App: 2 to 3 for critical Apps Only 5 to 10% of total vulnerabilities Difficult to detect but has the highest impact

Jan 2013

iViZ Security Inc

7 Deadly Sins!

Jan 2013

iViZ Security Inc

Increasing your Bank Balance


Impact
You can increase your bank balance just by transferring negative amount to somebody else

How does it work?


No server side validation of the amount field Sometime client side validations are there which can be bypassed by manipulating Data on Transit (use Webscarab, Burp Suite, Paros etc)

How to fix?
Add server side validations in the work flow
Jan 2013 iViZ Security Inc
5

Buying online for free!


Impact
Buy air tickets (or anything that you like) at what ever price you want!

How does it work?


Application does not validate the amount paid to the payment gateway. Attacker can simply use the Call back URL to get the payment success and product delivery.

How to fix?
Create validation process between the application and payment gateway to know the exact amount transferred
Jan 2013 iViZ Security Inc
6

Stealing one time passwords


Impact
You can the steal the One Time Password of another user despite having access to their mobile, email etc

How does it work?


Application send the OTP to the browser for faster client side validation and better user experience

How to fix?
Conduct server side validation. Do not send OTP to browser.

Jan 2013

iViZ Security Inc

Have unlimited discounts


Impact
You can enjoy unlimited discount

How does it work?


You can add 10 products to the cart and avail the standard (e.g. 10%) discount Remove 9 products from cart after that but the application still retains the discount amount

How to fix?
Re calculate discount if there is any change in the cart

Jan 2013

iViZ Security Inc

Impact

Get 100% discount with 10% discount Coupons

You can get 100% discount with a 20% discount coupon

How does it work?


Same coupon can be used multiple times during the same transaction

How to fix?
Expire the coupon after the first use and not after the session ends

Jan 2013

iViZ Security Inc

Hijacking others account


Impact
You can hijack anybodys (use your imagination) account.

How does it work?


Weak password recovery process Choose Do not have access to registered email access option Brute force the answer to secret question.

How to fix?
Create stronger password recovery option Recovery links only over email
Jan 2013 iViZ Security Inc
10

DOS your competition


Impact
You can stop others from buying products

How does it work?


You try to book a product and start the session but do not pay Open millions of such threads and do not pay Application does not have expiry time or other validation of IP etc

How to fix?
Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible)
Jan 2013 iViZ Security Inc
11

Detection and Prevention

Jan 2013

iViZ Security Inc

12

How to detect?
What helps?
Threat Modeling and Attack surface Analysis Break down the key processes into work-flows/flow chart to detect possible manipulations Penetration Testing with Business Logic Testing by Experts Design Review

What does not help?


Automated Testing with any tools (neither Static nor Dynamic) Testing conducted by a team with less expertise Standard Code review

Jan 2013

iViZ Security Inc

13

How to prevent?
Design the application/use case scenarios keeping Business Logic Vulnerability in mind Conduct Security Design Reviews Independent /Third Party Tests (within or outside the company) Comprehensive Pen Test with Business Logic Testing before the Application goes live

Jan 2013

iViZ Security Inc

14

Resources

Jan 2013

iViZ Security Inc

15

Top Free Online Resources


Checklist for Business Logic Vuln:
http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html

OWASP :
https://www.owasp.org/index.php/Testing_for_business_logic_(OWASPBL-001)

Webscarab:
https://www.owasp.org/index.php/OWASP_WebScarab_Project

Jan 2013

iViZ Security Inc

16

After 7 Sins.. Now be prepared for Karma!

Jan 2013

iViZ Security Inc

17

How to be bankrupt in a day?


Denial of Dollar Attack! Piratebay founder proposed launching this attack on the law firm which fought against him Example working model:
Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. Send millions of 1 Cent transaction
Jan 2013 iViZ Security Inc
18

Stay safe !

Jan 2013

iViZ Security Inc

19

Thank You
bikash@ivizsecurity.com
Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1

Jan 2013

iViZ Security Inc

20

You might also like