Logical Vulnerabilities in Web
Applications
Nilanjan De, CTO, iViZ Security Inc.

Nov 2013

© iViZ Security Inc

0
Introduction
• iViZ - Cloud based Application Penetration
testing
– Zero False positive guarantee
– Business logic testing...
Logical Vulnerabilities

Nov 2013

© iViZ Security Inc

2
Logical vs Technical Flaws
Logical Flaws

Technical Flaws

Occurs due to logical design weakness
and not due to wrong codi...
Common Logical Vulnerabilities

Nov 2013

© iViZ Security Inc

4
Payment gateway price manipulation
• Manipulation of price when the request is
transferred to payment gateway and back.
• ...
Discount coupon abuse
• Apply discount coupon on large number of
items and then cancel the items but retain the
discount
•...
Password Recovery
• Weak “Do not have access to registered email?”
functionality.
• Guessable secret questions
–
–
–
–

Wh...
Negative Transfer
• Transfer negative amount from your account and increase
your bank balance and decrease your victims ba...
Denial of Service
• Lock out legitimate user
– Abuse of legitimate functionality to lock user on
repeated failed logins.
–...
Resources
• List of common Logical Vulnerabilities
– http://www.ivizsecurity.com/50-common-logicalvulnerabilities.html

• ...
Questions?

Nov 2013

© iViZ Security Inc

11
Thank You
nilanjan@ivizsecurity.com
http://www.ivizsecurity.com/

Nov 2013

© iViZ Security Inc

12
Upcoming SlideShare
Loading in …5
×

Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)

293 views

Published on

Presented by Nilanjan Dey, CTO, iViZ at CISO Platform Annual Summit, 2013.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
293
On SlideShare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)

  1. 1. Logical Vulnerabilities in Web Applications Nilanjan De, CTO, iViZ Security Inc. Nov 2013 © iViZ Security Inc 0
  2. 2. Introduction • iViZ - Cloud based Application Penetration testing – Zero False positive guarantee – Business logic testing along with 100% WASC class coverage • 3000+ applications tested till date • Average number of logical Vulnerabilities per non-trivial and critical app ~ 2-3 Nov 2013 © iViZ Security Inc 1
  3. 3. Logical Vulnerabilities Nov 2013 © iViZ Security Inc 2
  4. 4. Logical vs Technical Flaws Logical Flaws Technical Flaws Occurs due to logical design weakness and not due to wrong coding. These flaws exploit legitimate processing flow of an application to cause a negative consequence to the application owner or user. Most often occurs due to wrong or insecure coding or missing security controls. Finding logical vulnerabilities is an Automated scanners can largely find Undecidable problem. Hence it is difficult these vulnerabilities for automated scanners to find them in all cases. Typically testing or exploiting these require multi-step operations and hence makes it more difficult for automated scanners to find them. Nov 2013 These flaws typically have well known and reliable test-cases. © iViZ Security Inc 3
  5. 5. Common Logical Vulnerabilities Nov 2013 © iViZ Security Inc 4
  6. 6. Payment gateway price manipulation • Manipulation of price when the request is transferred to payment gateway and back. • Attacker can purchase at a different price than actual(usually lower or zero price). Especially dangerous for items where the fulfillment or delivery is immediate, e.g., digital downloads, e-tickets, phone recharge, etc. Nov 2013 © iViZ Security Inc 5
  7. 7. Discount coupon abuse • Apply discount coupon on large number of items and then cancel the items but retain the discount • Use same coupon multiple times or use multiple coupons on the same order. • Use single time use coupons in multiple orders by initiating the orders simultaneously. • Use expired coupons • Predictable coupon codes Nov 2013 © iViZ Security Inc 6
  8. 8. Password Recovery • Weak “Do not have access to registered email?” functionality. • Guessable secret questions – – – – When is your birthday/anniversary? Where were you born? Mother’s maiden name? Where did you go on honeymoon? • Multi-step password recovery process bypass. • Pre-authenticated password change functionality abuse Nov 2013 © iViZ Security Inc 7
  9. 9. Negative Transfer • Transfer negative amount from your account and increase your bank balance and decrease your victims balance. – Only client side validation and lack of server side validation leads to such flaws – Relatively less common these days but we still find such flaws • Transfer a very large positive amount from your account and obtain the same result as above – Positive amount bypasses client side and server side validation – Backend legacy code cannot handle above 32-bit integers, therefore due to integer overflow, treats them as negative integers Nov 2013 © iViZ Security Inc 8
  10. 10. Denial of Service • Lock out legitimate user – Abuse of legitimate functionality to lock user on repeated failed logins. – Can be misused by attackers to lock victim’s account. • Lock resources without completing transaction – Eg, bus tickets, movie tickets – Deduct charges before fulfillment of order. Nov 2013 © iViZ Security Inc 9
  11. 11. Resources • List of common Logical Vulnerabilities – http://www.ivizsecurity.com/50-common-logicalvulnerabilities.html • OWASP – https://www.owasp.org/index.php/Business_logic _vulnerability – https://www.owasp.org/index.php/Testing_for_b usiness_logic_(OWASP- BL-001) Nov 2013 © iViZ Security Inc 10
  12. 12. Questions? Nov 2013 © iViZ Security Inc 11
  13. 13. Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/ Nov 2013 © iViZ Security Inc 12

×