Editor's note: This is the first article in a seven-part series by Chetan Conikee. See more business logic flaw case studies at his website.
What is a business logic flaw?
The complexity of a software applications has increased exponentially in the past decade. Unfortunately, this has also increased the number of attacks that have been launched on such applications.
Attackers have reinvented their approach to explore newer vulnerabilities.
Vulnerabilities in applications can be classified into two broad categories
- Those that have common characteristics across different applications
- Those that are specific to an application and business domain.
The first category of vulnerabilities are caused due to faulty input validation. This class of vulnerabilities is caused when an application depends on user input to trigger its critical functionality and these inputs are handled without proper sanitization of data. Cross-site scripting and SQL Injection are good examples of this first category.
The second category of vulnerabilities is referred to as business logic flaws. It results from the faulty application logic. Consequently, a business logic flaw allows an attacker to misuse the application by circumventing the business rules of the application. These attacks are disguised as syntactically valid web requests that carry malicious intentions to violate the intended application logic.
An automated security scanner works fine for detecting the first category of vulnerabilities that have common characteristics across different applications. However, it falters when it comes to the detection of faulty logic vulnerabilities. It is because it is not programmed to understand the business domain workflow, logic of the programmer and ways in which a logic can be tampered with or bypassed.
An Example of a Business Logic Flaw
Here is a simple example.
An e-commerce merchant, YYY.com sells electronic merchandise to consumers worldwide. The typical checkout process during fulfillment includes the following steps in sequence
- User picks one or more items and adds to basket
- User then heads to order page to initiate purchase
- User pushes purchase or checkout button
- Merchant YYY.com sends order and customer information to it’s partner payments processor (for authorization and capture)
- Payments processor returns transaction-id back to Merchant YYY.com
- Merchant YYY.com displays confirmation details on fulfillment page to consumer
An attacker carefully tracks the request/response through each of these stages prepares to induce a currency attack on this merchant.
At step (3), the attacker manipulates a currency related parameter in the POST request within the HTTP header and changes the currency type from `EU Pounds` to `US Dollars`. As a result the attacker was able to exploit this logic flaw by paying less for his/her order.
Business Logic Flaw Definition
A business logic flaw is code that is part of a legitimate workflow but can be used for malicious intent. The chart below outlines the definition neatly.
How can such flaws be avoided?
Is there a human assisted expert system available to check your specific application for design flaws that can be exploited? Yes, such a system does exist.
Until then, onto my next installment in this series.