Anatomy of Business Logic                Vulnerabilities            Bikash Barai, Co-Founder & CEOJan 2013               ©...
About iViZ • iViZ – Cloud based Application Penetration   Testing       – Zero False Positive Guarantee       – Business L...
Understanding Business Logic                  VulnerabilitiesJan 2013              © iViZ Security Inc   2
Understanding Business Logic                  Vulnerability • Business Logic Vulnerabilities are security flaws due   to w...
7 Deadly Sins!Jan 2013       © iViZ Security Inc   4
Increasing your Bank Balance • Impact       – You can increase your bank balance just by transferring         negative amo...
Buying online for free! • Impact       – Buy air tickets (or anything that you like) at what ever price         you want! ...
Stealing one time passwords • Impact       – You can the steal the One Time Password of another user         despite havin...
Have unlimited discounts • Impact       – You can enjoy unlimited discount • How does it work?       – You can add 10 prod...
Get 100% discount with 10%                discount Coupons • Impact       – You can get 100% discount with a 20% discount ...
Hijacking others account • Impact       – You can hijack anybody’s (use your imagination) account. • How does it work?    ...
DOS your competition • Impact       – You can stop others from buying products • How does it work?       – You try to book...
Detection and PreventionJan 2013            © iViZ Security Inc   12
How to detect? • What helps?       – Threat Modeling and Attack surface Analysis       – Break down the key processes into...
How to prevent? • Design the application/use case scenarios   keeping Business Logic Vulnerability in mind • Conduct Secur...
ResourcesJan 2013     © iViZ Security Inc   15
Top Free Online Resources • Checklist for Business Logic Vuln:      http://www.ivizsecurity.com/50-common-logical-vulnerab...
After 7 Sins..           Now be prepared for Karma!Jan 2013             © iViZ Security Inc   17
How to be bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this   attack on the law ...
Stay safe !Jan 2013     © iViZ Security Inc   19
Thank You                     bikash@ivizsecurity.com                          Blog: http://blog.ivizsecurity.com/        ...
Upcoming SlideShare
Loading in...5
×

Anatomy of business logic vulnerabilities

633

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
633
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Anatomy of business logic vulnerabilities

  1. 1. Anatomy of Business Logic Vulnerabilities Bikash Barai, Co-Founder & CEOJan 2013 © iViZ Security Inc 0
  2. 2. About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a ServiceJan 2013 © iViZ Security Inc 1
  3. 3. Understanding Business Logic VulnerabilitiesJan 2013 © iViZ Security Inc 2
  4. 4. Understanding Business Logic Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impactJan 2013 © iViZ Security Inc 3
  5. 5. 7 Deadly Sins!Jan 2013 © iViZ Security Inc 4
  6. 6. Increasing your Bank Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flowJan 2013 © iViZ Security Inc 5
  7. 7. Buying online for free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferredJan 2013 © iViZ Security Inc 6
  8. 8. Stealing one time passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser.Jan 2013 © iViZ Security Inc 7
  9. 9. Have unlimited discounts • Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cartJan 2013 © iViZ Security Inc 8
  10. 10. Get 100% discount with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session endsJan 2013 © iViZ Security Inc 9
  11. 11. Hijacking others account • Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over emailJan 2013 © iViZ Security Inc 10
  12. 12. DOS your competition • Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible)Jan 2013 © iViZ Security Inc 11
  13. 13. Detection and PreventionJan 2013 © iViZ Security Inc 12
  14. 14. How to detect? • What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code reviewJan 2013 © iViZ Security Inc 13
  15. 15. How to prevent? • Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes liveJan 2013 © iViZ Security Inc 14
  16. 16. ResourcesJan 2013 © iViZ Security Inc 15
  17. 17. Top Free Online Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_ProjectJan 2013 © iViZ Security Inc 16
  18. 18. After 7 Sins.. Now be prepared for Karma!Jan 2013 © iViZ Security Inc 17
  19. 19. How to be bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction”Jan 2013 © iViZ Security Inc 18
  20. 20. Stay safe !Jan 2013 © iViZ Security Inc 19
  21. 21. Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1Jan 2013 © iViZ Security Inc 20

×