Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
60 views13 pages

Business Logic Bugs

Uploaded by

afkiclrjksksmhfcet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
60 views13 pages

Business Logic Bugs

Uploaded by

afkiclrjksksmhfcet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Business Logic

Bugs
CONTENTS

• What are Business Logic Bugs?

• Some Examples of Business Logic Bugs

• Test Cases

• Common Endpoints to find Business Logic Bugs


What are Business Logic Bugs?
• A flaw in the design & implementation of any
software's underlying rules & processes that
govern app behavior based on business
requirements.

• Unlike normal coding errors, business logic bugs


are present when the application doesn't reflect
the exact intended business logic, which can
lead to some kind of unexpected/undesired
outcomes.
Some Examples of Business Logic Bugs
• Product is given before transaction is verified

• An e-commerce website allows users to apply a discount code

unlimited times, resulting in items purchased below cost price.

• A banking application permits money transfers without validating

if account balance is sufficient, leading to negative balances.

• A service fails to check if user is already subscribed, allows

for multiple subscriptions & discounts by the same user.


Some Examples of Business Logic Bugs

• A voting platform does not limit the number of votes per user,

enabling a single user to vote multiple times and skew results.

• A reward points system multiplies points incorrectly during

certain transactions, leading to inflated rewards for users.

• A CMS allows unpublished articles to be accessed through direct

URLs, exposing confidential information before official release.


Test Cases
• ATO via Google SSO
signup function

• Parameter Tampering

• Response Manipulation

• Critical Parameter Manipulation


and Access to Unauthorized
Information/Content (IDOR)
ATO via Google SSO signup function
• Create account/ Register on any site

where Google SSO is merged.

• Now login and log out to verify its working.

• Go to signup and click on google SSO function for same email id

which we created already on same site and you will be directly

logged into Account.

• Go to site.com/account/settings, etc.
ATO via Google SSO signup function

Impact:
• Account TakeOver via Pre-Auth

• Lack Of validation Email will help attacker stay

undetected and support Persistence.


Parameter Tampering
• Intercept on and click on the product.

• Find amount parameter and change the

value.

• Forward and keep changing amount.

• If the amount you changed is shown in

the browser after refresh, then it is

vulnerable.
Response Manipulation
• To test this vulnerability we need 2 Accounts

First Try Login in as Attacker account with correct credentials

and capture the request and copy the response of it.

• Now try to login using Victim account but with

random password and capture the request.

• Replace the response with the attackers response and you will

be able to login without using the actual password of the victim.

• Also try the same methodology for OTP & Captcha Bypass
IDOR – Critical Parameter Manipulation
• HTTP, GET & POST requests typically

have parameters, which can be in the form

of name/value pair, JSON, XML etc.

• If the application is processing the parameters

before validating them, it leads to information

disclosure as these parameters can be

guessed/predicted & tampered with.


Common Endpoints
• Auth Mechanisms: Login mechanisms, role-based access controls.

• Transaction Processing: Order placements, payment processing.

• User Privileges: Profile settings, account management.

• Workflow Processes: Order fulfillment, document approvals.

• Inadequate Access Controls: Unauthorized access to functionalities or data.

• Inconsistent Validation: Validation errors leading to unintended outcomes.

• Session Management: Incorrect handling of user sessions

• Race Conditions: Arising from concurrent execution of processes.


Thank You

You might also like