Anatomy of business logic vulnerabilities
- 1. Anatomy of Business Logic Vulnerabilities Bikash Barai, Co-Founder & CEO Jan 2013 © iViZ Security Inc 0
- 2. About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a Service Jan 2013 © iViZ Security Inc 1
- 3. Understanding Business Logic Vulnerabilities Jan 2013 © iViZ Security Inc 2
- 4. Understanding Business Logic Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impact Jan 2013 © iViZ Security Inc 3
- 5. 7 Deadly Sins! Jan 2013 © iViZ Security Inc 4
- 6. Increasing your Bank Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flow Jan 2013 © iViZ Security Inc 5
- 7. Buying online for free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferred Jan 2013 © iViZ Security Inc 6
- 8. Stealing one time passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser. Jan 2013 © iViZ Security Inc 7
- 9. Have unlimited discounts • Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cart Jan 2013 © iViZ Security Inc 8
- 10. Get 100% discount with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session ends Jan 2013 © iViZ Security Inc 9
- 11. Hijacking others account • Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over email Jan 2013 © iViZ Security Inc 10
- 12. DOS your competition • Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible) Jan 2013 © iViZ Security Inc 11
- 13. Detection and Prevention Jan 2013 © iViZ Security Inc 12
- 14. How to detect? • What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code review Jan 2013 © iViZ Security Inc 13
- 15. How to prevent? • Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes live Jan 2013 © iViZ Security Inc 14
- 16. Resources Jan 2013 © iViZ Security Inc 15
- 17. Top Free Online Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_Project Jan 2013 © iViZ Security Inc 16
- 18. After 7 Sins.. Now be prepared for Karma! Jan 2013 © iViZ Security Inc 17
- 19. How to be bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction” Jan 2013 © iViZ Security Inc 18
- 20. Stay safe ! Jan 2013 © iViZ Security Inc 19
- 21. Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Jan 2013 © iViZ Security Inc 20