Anatomy of business logic vulnerabilities

1,343 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,343
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Anatomy of business logic vulnerabilities

  1. 1. Anatomy of Business Logic Vulnerabilities Bikash Barai, Co-Founder & CEOJan 2013 © iViZ Security Inc 0
  2. 2. About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a ServiceJan 2013 © iViZ Security Inc 1
  3. 3. Understanding Business Logic VulnerabilitiesJan 2013 © iViZ Security Inc 2
  4. 4. Understanding Business Logic Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impactJan 2013 © iViZ Security Inc 3
  5. 5. 7 Deadly Sins!Jan 2013 © iViZ Security Inc 4
  6. 6. Increasing your Bank Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flowJan 2013 © iViZ Security Inc 5
  7. 7. Buying online for free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferredJan 2013 © iViZ Security Inc 6
  8. 8. Stealing one time passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser.Jan 2013 © iViZ Security Inc 7
  9. 9. Have unlimited discounts • Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cartJan 2013 © iViZ Security Inc 8
  10. 10. Get 100% discount with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session endsJan 2013 © iViZ Security Inc 9
  11. 11. Hijacking others account • Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over emailJan 2013 © iViZ Security Inc 10
  12. 12. DOS your competition • Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible)Jan 2013 © iViZ Security Inc 11
  13. 13. Detection and PreventionJan 2013 © iViZ Security Inc 12
  14. 14. How to detect? • What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code reviewJan 2013 © iViZ Security Inc 13
  15. 15. How to prevent? • Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes liveJan 2013 © iViZ Security Inc 14
  16. 16. ResourcesJan 2013 © iViZ Security Inc 15
  17. 17. Top Free Online Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_ProjectJan 2013 © iViZ Security Inc 16
  18. 18. After 7 Sins.. Now be prepared for Karma!Jan 2013 © iViZ Security Inc 17
  19. 19. How to be bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction”Jan 2013 © iViZ Security Inc 18
  20. 20. Stay safe !Jan 2013 © iViZ Security Inc 19
  21. 21. Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1Jan 2013 © iViZ Security Inc 20

×