-
-
Notifications
You must be signed in to change notification settings - Fork 14.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Business Logic Errors + Mass Assignment
- Loading branch information
1 parent
b68ce28
commit cd19bb9
Showing
6 changed files
with
154 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
# Business Logic Errors | ||
|
||
> Business logic errors, also known as business logic flaws, are a type of application vulnerability that stems from the application's business logic, which is the part of the program that deals with real-world business rules and processes. These rules could include things like pricing models, transaction limits, or the sequences of operations that need to be followed in a multi-step process. | ||
|
||
## Summary | ||
|
||
* [Examples](#examples) | ||
* [References](#references) | ||
|
||
|
||
## Examples | ||
|
||
Unlike other types of security vulnerabilities like SQL injection or cross-site scripting (XSS), business logic errors do not rely on problems in the code itself (like unfiltered user input). Instead, they take advantage of the normal, intended functionality of the application, but use it in ways that the developer did not anticipate and that have undesired consequences. | ||
|
||
Common examples of Business Logic Errors. | ||
|
||
* Review Feature Testing | ||
* Assess if you can post a product review as a verified reviewer without having purchased the item. | ||
* Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system. | ||
* Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions. | ||
* Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints. | ||
* Investigate the possibility of posting reviews impersonating other users. | ||
* Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens. | ||
|
||
* Discount Code Feature Testing | ||
* Try to apply the same discount code multiple times to assess if it's reusable. | ||
* If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously. | ||
* Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one. | ||
* Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature. | ||
* Attempt to apply discount codes to non-discounted items by manipulating the server-side request. | ||
|
||
* Delivery Fee Manipulation | ||
* Experiment with negative values for delivery charges to see if it reduces the final amount. | ||
* Evaluate if free delivery can be activated by modifying parameters. | ||
|
||
* Currency Arbitrage | ||
* Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit. | ||
|
||
* Premium Feature Exploitation | ||
* Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription. | ||
* Purchase a premium feature, cancel it, and see if you can still use it after a refund. | ||
* Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access. | ||
* Review cookies or local storage for variables validating premium access. | ||
|
||
* Refund Feature Exploitation | ||
* Purchase a product, ask for a refund, and see if the product remains accessible. | ||
* Look for opportunities for currency arbitrage. | ||
* Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds. | ||
|
||
* Cart/Wishlist Exploitation | ||
* Test the system by adding products in negative quantities, along with other products, to balance the total. | ||
* Try to add more of a product than is available. | ||
* Check if a product in your wishlist or cart can be moved to another user's cart or removed from it. | ||
|
||
* Thread Comment Testing | ||
* Check if there's a limit to the number of comments on a thread. | ||
* If a user can only comment once, use race conditions to see if multiple comments can be posted. | ||
* If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well. | ||
* Attempt to post comments impersonating other users. | ||
|
||
* Parameter Tampering | ||
* Manipulate payment or other critical fields to alter their values. | ||
* By exploiting HTTP Parameter Pollution & Mass Assignment, add extra or unexpected fields. | ||
* Try to manipulate the response to bypass restrictions, such as 2FA. | ||
|
||
## References | ||
|
||
* [Business logic vulnerability - OWASP](https://owasp.org/www-community/vulnerabilities/Business_logic_vulnerability) | ||
* [Business logic vulnerabilities - PortSwigger](https://portswigger.net/web-security/logic-flaws) | ||
* [Examples of business logic vulnerabilities - PortSwigger](https://portswigger.net/web-security/logic-flaws/examples) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Mass Assignment | ||
|
||
> A mass assignment attack is a security vulnerability that occurs when a web application automatically assigns user-supplied input values to properties or variables of a program object. This can become an issue if a user is able to modify attributes they should not have access to, like a user's permissions or an admin flag. | ||
## Summary | ||
|
||
* [Exploit](#exploit) | ||
* [Labs](#labs) | ||
* [References](#references) | ||
|
||
|
||
## Exploit | ||
|
||
Mass assignment vulnerabilities are most common in web applications that use Object-Relational Mapping (ORM) techniques or functions to map user input to object properties, where properties can be updated all at once instead of individually. Many popular web development frameworks such as Ruby on Rails, Django, and Laravel (PHP) offer this functionality. | ||
|
||
For instance, consider a web application that uses an ORM and has a user object with the attributes `username`, `email`, `password`, and `isAdmin`. In a normal scenario, a user might be able to update their own username, email, and password through a form, which the server then assigns to the user object. | ||
|
||
However, an attacker may attempt to add an `isAdmin` parameter to the incoming data like so: | ||
|
||
```json | ||
{ | ||
"username": "attacker", | ||
"email": "attacker@email.com", | ||
"password": "unsafe_password", | ||
"isAdmin": true | ||
} | ||
``` | ||
|
||
If the web application is not checking which parameters are allowed to be updated in this way, it might set the `isAdmin` attribute based on the user-supplied input, giving the attacker admin privileges | ||
|
||
|
||
## Labs | ||
|
||
* [PentesterAcademy - Mass Assignment I](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1964) | ||
* [PentesterAcademy - Mass Assignment II](https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=1922) | ||
|
||
|
||
## References | ||
|
||
* [Hunting for Mass Assignment - Shivam Bathla - Aug 12, 2021](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda) | ||
* [Mass Assignment Cheat Sheet - OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html) | ||
* [What is Mass Assignment? Attacks and Security Tips - Yoan MONTOYA - JUNE 15, 2023](https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters