Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
66 views13 pages

Business Logic Vulnerability

The document discusses several examples of business logic vulnerabilities in websites and applications. These include allowing links to be sent as messages that should not be linked, allowing teachers to access student data they should not have access to, and bypassing authentication and password changes. The document emphasizes that finding these types of vulnerabilities does not require advanced tools and instead recommends using creativity and persistence to think of ways to break the intended business logic.

Uploaded by

elrabieystore
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views13 pages

Business Logic Vulnerability

The document discusses several examples of business logic vulnerabilities in websites and applications. These include allowing links to be sent as messages that should not be linked, allowing teachers to access student data they should not have access to, and bypassing authentication and password changes. The document emphasizes that finding these types of vulnerabilities does not require advanced tools and instead recommends using creativity and persistence to think of ways to break the intended business logic.

Uploaded by

elrabieystore
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Business Logic Vulnerability

By @pranshux0x
Business Logic bug in human life

Genie say to men that he will complete his one wish.

Men ask the genie “to make him very attractive to women.”

The genie snaps his fingers and the man turns into a box of chocolates.

Just as the man’s final wish was granted based on what he said, rather than what
he was thinking, a program will follow its instruction exactly, and the result aren’t
always what the programmer intended.
Business logic bugs in computer

Application logic errors or business logic vulnerabilities, are a ways of using the
legitimate logic flow of an application that result in a negative consequences to
the organization. Sound a bit abstract? The best way to understand them it to look
at a few examples.
1. Block link in messages

Website name example.com allow to send messages to another user.

If you send any link in message like google.com it will send as a text google.com

But if you send example.com in messages it send as a link example.com

Now what you are thinking, yes you are right now send this
[email protected] it convert as link [email protected] in
messages.
2. Teacher become attacker

Website has teachers and students. Students can add himself to the teacher class
by class code.
One teacher is not allowed to see student performance in another teacher class.
Teacher can also reset students account password.
So here the website again break his own logic.
One teacher can reset the student password and enter his account and see his
performance in another teacher class.
3. Attacker celebrate company 10th anniversary.

On his 10th anniversary company giving $25 cashback on the order above $800.

I order the items of worth $900 and pay the money by my credit card. After 1 hour I
get $25 cashback. Then I cancelled the order and after 2 hours I get back my $900
also .

So the total money I get $925.

$25 profit.
4. Hacker computer Run Fast

In website we can save our visa card. We can order furniture from this website.

So what I find out that

when I purchase the furniture and choose payment option visa card that’s saved in
the website. My order get confirmed and after 3-4 second money is cut from my
account.

How do you exploit it ? Let’s see


I know that my order is confirmed after that money is cut from my account.

So what I do I open my account in two browser and from one browser I go to


purchasing and after selecting payment option as visa card I stopped, before
clicking the order button.

From second browser I go to my account setting, in save credit card there is a


option to remove credit card.

I align both the browser window side by side. From the first browser I click order
and in less than 2 second I click on remove credit card button from second
browser.

Now my order is confirmed but no money cuts from my account.


5. You are already in

The website allow 2 factor authentication .

After enabling 2fa . When I login , by entering username and password, the website
asked me to enter 2fa code.

The url of the browser is this https://www.exampl.com/login/2fa

I change this to https://www.exampl.com/account

Boom! 2fa bypass completely and I login into the account.


6. Fooling a password change function
To change a password , user need to enter the current password. The request to change password look like this:

POST /api/change-password HTTP/1.1


Host: example.com
Content-Type: application/json
Authorization: Bearer <access_token>
{
"current_password": "oldPassword123",
"new_password": "newPassword456"
}
If we remove the current_password value and pair , the request still success
this way we can change the password without supplying the current password,
with this request

POST /api/change-password HTTP/1.1


Host: example.com
Content-Type: application/json
Authorization: Bearer <access_token>
{
"new_password": "newPassword456"
}
What it takes to find business logic vulnerabilities

You don’t need any fancy tooling to find these bugs, neither you need any
programming knowledge. I believe all you need is Persistence, consistency and
creative mind.

Few Tips:

1. Don’t give up easily spend at least 30 days in one program.


2. Use your creative mind to break the developer logic, you cannot break the
developer logic in one day, but one day.
Who is me ?

Priyansh Shakya ( @pranshux0x )

Twitter handle @pranshux0x

You might also like