Presented by Nilanjan Dey, CTO, iViZ at CISO Platform Annual Summit, 2013.

1. Logical Vulnerabilities in Web
Applications
Nilanjan De, CTO, iViZ Security Inc.
Nov 2013
© iViZ Security Inc
0

2. Introduction
• iViZ - Cloud based Application Penetration
testing
– Zero False positive guarantee
– Business logic testing along with 100% WASC class
coverage
• 3000+ applications tested till date
• Average number of logical Vulnerabilities per
non-trivial and critical app ~ 2-3
Nov 2013
© iViZ Security Inc
1

3. Logical Vulnerabilities
Nov 2013
© iViZ Security Inc
2

4. Logical vs Technical Flaws
Logical Flaws
Technical Flaws
Occurs due to logical design weakness
and not due to wrong coding. These flaws
exploit legitimate processing flow of an
application to cause a negative
consequence to the application owner or
user.
Most often occurs due to wrong or
insecure coding or missing security
controls.
Finding logical vulnerabilities is an
Automated scanners can largely find
Undecidable problem. Hence it is difficult these vulnerabilities
for automated scanners to find them in all
cases.
Typically testing or exploiting these
require multi-step operations and hence
makes it more difficult for automated
scanners to find them.
Nov 2013
These flaws typically have well known and
reliable test-cases.
© iViZ Security Inc
3

5. Common Logical Vulnerabilities
Nov 2013
© iViZ Security Inc
4

6. Payment gateway price manipulation
• Manipulation of price when the request is
transferred to payment gateway and back.
• Attacker can purchase at a different price than
actual(usually lower or zero price). Especially
dangerous for items where the fulfillment or
delivery is immediate, e.g., digital downloads,
e-tickets, phone recharge, etc.
Nov 2013
© iViZ Security Inc
5

7. Discount coupon abuse
• Apply discount coupon on large number of
items and then cancel the items but retain the
discount
• Use same coupon multiple times or use
multiple coupons on the same order.
• Use single time use coupons in multiple orders
by initiating the orders simultaneously.
• Use expired coupons
• Predictable coupon codes
Nov 2013
© iViZ Security Inc
6

8. Password Recovery
• Weak “Do not have access to registered email?”
functionality.
• Guessable secret questions
–
–
–
–
When is your birthday/anniversary?
Where were you born?
Mother’s maiden name?
Where did you go on honeymoon?
• Multi-step password recovery process bypass.
• Pre-authenticated password change functionality
abuse
Nov 2013
© iViZ Security Inc
7

9. Negative Transfer
• Transfer negative amount from your account and increase
your bank balance and decrease your victims balance.
– Only client side validation and lack of server side validation
leads to such flaws
– Relatively less common these days but we still find such flaws
• Transfer a very large positive amount from your account
and obtain the same result as above
– Positive amount bypasses client side and server side validation
– Backend legacy code cannot handle above 32-bit integers,
therefore due to integer overflow, treats them as negative
integers
Nov 2013
© iViZ Security Inc
8

10. Denial of Service
• Lock out legitimate user
– Abuse of legitimate functionality to lock user on
repeated failed logins.
– Can be misused by attackers to lock victim’s
account.
• Lock resources without completing
transaction
– Eg, bus tickets, movie tickets
– Deduct charges before fulfillment of order.
Nov 2013
© iViZ Security Inc
9

11. Resources
• List of common Logical Vulnerabilities
– http://www.ivizsecurity.com/50-common-logicalvulnerabilities.html
• OWASP
– https://www.owasp.org/index.php/Business_logic
_vulnerability
– https://www.owasp.org/index.php/Testing_for_b
usiness_logic_(OWASP- BL-001)
Nov 2013
© iViZ Security Inc
10

12. Questions?
Nov 2013
© iViZ Security Inc
11

13. Thank You
nilanjan@ivizsecurity.com
http://www.ivizsecurity.com/
Nov 2013
© iViZ Security Inc
12