SlideShare a Scribd company logo

Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)

Priyanka Aash, profile picture
Priyanka Aash

This document discusses logical vulnerabilities in web applications. It defines logical vulnerabilities as flaws occurring due to weaknesses in an application's design logic rather than coding errors. The document outlines common logical vulnerability types like payment gateway price manipulation, discount coupon abuse, weak password recovery, negative transfers, and denial of service. It notes that finding logical vulnerabilities is difficult for automated scanners since they often require multi-step exploitation. The document was presented by the CTO of a security firm that performs application penetration testing.

Technology
1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
Logical Vulnerabilities in Web Applications Nilanjan De, CTO, iViZ Security Inc. Nov 2013 © iViZ Security Inc 0
Introduction • iViZ - Cloud based Application Penetration testing – Zero False positive guarantee – Business logic testing along with 100% WASC class coverage • 3000+ applications tested till date • Average number of logical Vulnerabilities per non-trivial and critical app ~ 2-3 Nov 2013 © iViZ Security Inc 1
Logical Vulnerabilities Nov 2013 © iViZ Security Inc 2
Logical vs Technical Flaws Logical Flaws Technical Flaws Occurs due to logical design weakness and not due to wrong coding. These flaws exploit legitimate processing flow of an application to cause a negative consequence to the application owner or user. Most often occurs due to wrong or insecure coding or missing security controls. Finding logical vulnerabilities is an Automated scanners can largely find Undecidable problem. Hence it is difficult these vulnerabilities for automated scanners to find them in all cases. Typically testing or exploiting these require multi-step operations and hence makes it more difficult for automated scanners to find them. Nov 2013 These flaws typically have well known and reliable test-cases. © iViZ Security Inc 3
Common Logical Vulnerabilities Nov 2013 © iViZ Security Inc 4
Payment gateway price manipulation • Manipulation of price when the request is transferred to payment gateway and back. • Attacker can purchase at a different price than actual(usually lower or zero price). Especially dangerous for items where the fulfillment or delivery is immediate, e.g., digital downloads, e-tickets, phone recharge, etc. Nov 2013 © iViZ Security Inc 5
Discount coupon abuse • Apply discount coupon on large number of items and then cancel the items but retain the discount • Use same coupon multiple times or use multiple coupons on the same order. • Use single time use coupons in multiple orders by initiating the orders simultaneously. • Use expired coupons • Predictable coupon codes Nov 2013 © iViZ Security Inc 6
Password Recovery • Weak “Do not have access to registered email?” functionality. • Guessable secret questions – – – – When is your birthday/anniversary? Where were you born? Mother’s maiden name? Where did you go on honeymoon? • Multi-step password recovery process bypass. • Pre-authenticated password change functionality abuse Nov 2013 © iViZ Security Inc 7
Negative Transfer • Transfer negative amount from your account and increase your bank balance and decrease your victims balance. – Only client side validation and lack of server side validation leads to such flaws – Relatively less common these days but we still find such flaws • Transfer a very large positive amount from your account and obtain the same result as above – Positive amount bypasses client side and server side validation – Backend legacy code cannot handle above 32-bit integers, therefore due to integer overflow, treats them as negative integers Nov 2013 © iViZ Security Inc 8
Denial of Service • Lock out legitimate user – Abuse of legitimate functionality to lock user on repeated failed logins. – Can be misused by attackers to lock victim’s account. • Lock resources without completing transaction – Eg, bus tickets, movie tickets – Deduct charges before fulfillment of order. Nov 2013 © iViZ Security Inc 9
Resources • List of common Logical Vulnerabilities – http://www.ivizsecurity.com/50-common-logicalvulnerabilities.html • OWASP – https://www.owasp.org/index.php/Business_logic _vulnerability – https://www.owasp.org/index.php/Testing_for_b usiness_logic_(OWASP- BL-001) Nov 2013 © iViZ Security Inc 10
Questions? Nov 2013 © iViZ Security Inc 11
Thank You nilanjan@ivizsecurity.com http://www.ivizsecurity.com/ Nov 2013 © iViZ Security Inc 12

More Related Content

PDF
The Non-Advanced Persistent Threat
Imperva
 
PPTX
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
PPTX
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
PPTX
Empathy in Monitoring
Zenoss
 
PPTX
API Days Paris - When RESTful may be considered harmful
Ross Garrett
 
PDF
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
PPTX
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
Splunk
 
PPTX
Be the Hunter
Rahul Neel Mani
 
The Non-Advanced Persistent Threat
Imperva
 
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Empathy in Monitoring
Zenoss
 
API Days Paris - When RESTful may be considered harmful
Ross Garrett
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
SplunkLive! Utrecht - Splunk for Security - Monzy Merza
Splunk
 
Be the Hunter
Rahul Neel Mani
 

What's hot (19)

PPTX
Understanding Web Bots and How They Hurt Your Business
Imperva Incapsula
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PPTX
SplunkLive! Utrecht - Splunk for IT Operations - Rick Fitz
Splunk
 
PPTX
Detecting and Blocking Suspicious Internal Network Traffic
LogRhythm
 
PPTX
Tervela Streaming for Web & Mobile
tervela
 
PDF
Hacker vs AI
Nordic APIs
 
PDF
Republic Services Customer Presentation
Splunk
 
PDF
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
PPTX
Design, Build and Map IT and Business Services in Splunk
Splunk
 
PDF
Applying API Security at Scale
Nordic APIs
 
PPTX
Managing Identities in the World of APIs
Apigee | Google Cloud
 
PPTX
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
PPTX
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
PDF
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
PDF
Hacking A Bluetooth-Enabled Medical Device Is Too Easy
IFAH
 
PDF
SACON - Connected cars (Aditya Kakrania)
Priyanka Aash
 
PDF
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
NowSecure
 
PDF
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode
 
PDF
SplunkLive! Stockholm 2017 - ABN AMRO Customer Presentation
Splunk
 
Understanding Web Bots and How They Hurt Your Business
Imperva Incapsula
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
SplunkLive! Utrecht - Splunk for IT Operations - Rick Fitz
Splunk
 
Detecting and Blocking Suspicious Internal Network Traffic
LogRhythm
 
Tervela Streaming for Web & Mobile
tervela
 
Hacker vs AI
Nordic APIs
 
Republic Services Customer Presentation
Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
Design, Build and Map IT and Business Services in Splunk
Splunk
 
Applying API Security at Scale
Nordic APIs
 
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays
 
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
Hacking A Bluetooth-Enabled Medical Device Is Too Easy
IFAH
 
SACON - Connected cars (Aditya Kakrania)
Priyanka Aash
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
NowSecure
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Veracode
 
SplunkLive! Stockholm 2017 - ABN AMRO Customer Presentation
Splunk
 
Ad

Viewers also liked (19)

DOC
Mohit_Jain_Resume
Mohit Jain
 
PPT
nostalgia pix
Choo Theng Lim
 
PPTX
PSICOLOGIA DE LA SALUD
stephanie23sjs
 
DOC
Solicitud de alta como socio de acedc
acedc
 
PDF
Oer prezi
helgelaj
 
PDF
Ciso bitcoin tx_mallability-pdf
Priyanka Aash
 
PDF
Bachelor in History
Thibault Barb
 
PDF
ciso-platform-annual-summit-2013-IT risk as business risk
Priyanka Aash
 
PPTX
RAB Lighting
Allison Sundstrom
 
PDF
CV
Chad Stewart
 
PDF
447.теория и история литературы проблемы фольклоризма и мифотворчества
ivanov15548
 
PDF
Notorious 9 ciso platform moshe
Priyanka Aash
 
PDF
197.«основные положения гражданского права» часть 2 «договоры, направленные н...
ivanov15666688
 
PDF
El coordinator meeting 11.5.15
Minnesota English Learner Education Conference
 
PPTX
Nielson_Samaj in Bhutanese Culture
Minnesota English Learner Education Conference
 
PPTX
Nanotechnology in surgery
Louizos Louizos
 
PDF
Performance Arts Awards Graded Examinations in Musical Theatre | RSL
Francesca Denton
 
PDF
Information Visualization Project
Alexander Nwala
 
PDF
AHMED HAMDI%27S PORTFOLIO
Ahmed Hamdi
 
Mohit_Jain_Resume
Mohit Jain
 
nostalgia pix
Choo Theng Lim
 
PSICOLOGIA DE LA SALUD
stephanie23sjs
 
Solicitud de alta como socio de acedc
acedc
 
Oer prezi
helgelaj
 
Ciso bitcoin tx_mallability-pdf
Priyanka Aash
 
Bachelor in History
Thibault Barb
 
ciso-platform-annual-summit-2013-IT risk as business risk
Priyanka Aash
 
RAB Lighting
Allison Sundstrom
 
CV
Chad Stewart
 
447.теория и история литературы проблемы фольклоризма и мифотворчества
ivanov15548
 
Notorious 9 ciso platform moshe
Priyanka Aash
 
197.«основные положения гражданского права» часть 2 «договоры, направленные н...
ivanov15666688
 
El coordinator meeting 11.5.15
Minnesota English Learner Education Conference
 
Nielson_Samaj in Bhutanese Culture
Minnesota English Learner Education Conference
 
Nanotechnology in surgery
Louizos Louizos
 
Performance Arts Awards Graded Examinations in Musical Theatre | RSL
Francesca Denton
 
Information Visualization Project
Alexander Nwala
 
AHMED HAMDI%27S PORTFOLIO
Ahmed Hamdi
 
Ad

Similar to Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz) (20)

PPTX
Anatomy of business logic vulnerabilities
DaveEdwards12
 
PPTX
Using 80 20 rule in application security management
DaveEdwards12
 
PDF
Securing a Moving Target
JAX Chamber IT Council
 
PPT
Insecurity in security products 2013
DaveEdwards12
 
PPT
Why current security solutions fail
DaveEdwards12
 
PPTX
Mike Spaulding - Building an Application Security Program
centralohioissa
 
PPTX
Building an AppSec Team Extended Cut
Mike Spaulding
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PDF
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Decisions
 
PDF
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
PDF
Web Application Security For Small and Medium Businesses
Sasha Nunke
 
PPTX
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Derk Yntema
 
PPTX
Cyber security - It starts with the embedded system
Rogue Wave Software
 
PDF
Securing the Future of Applications Meetup 18092024
lior mazor
 
PPTX
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
 
PDF
Oh, WASP! Security Essentials for Web Apps
TechWell
 
PPTX
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
CODE BLUE
 
PPTX
Securing Privileged Access “Inside the Perimeter”
Bomgar
 
PPTX
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
 
KEY
Application Security Done Right
pvanwoud
 
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Using 80 20 rule in application security management
DaveEdwards12
 
Securing a Moving Target
JAX Chamber IT Council
 
Insecurity in security products 2013
DaveEdwards12
 
Why current security solutions fail
DaveEdwards12
 
Mike Spaulding - Building an Application Security Program
centralohioissa
 
Building an AppSec Team Extended Cut
Mike Spaulding
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Scalar Security Roadshow: Toronto Presentation - April 15, 2015
Scalar Decisions
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
Web Application Security For Small and Medium Businesses
Sasha Nunke
 
Introduction Sebyde BV | Security Testing | Security Awareness | Secure Devel...
Derk Yntema
 
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Securing the Future of Applications Meetup 18092024
lior mazor
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
 
Oh, WASP! Security Essentials for Web Apps
TechWell
 
[CB19] Integration of Cyber Insurance Into A Risk Management Program by Jake ...
CODE BLUE
 
Securing Privileged Access “Inside the Perimeter”
Bomgar
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
 
Application Security Done Right
pvanwoud
 

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A Presentation on Touch Screen Technology
memembruh336
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Encapsulation theory and applications.pdf
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
project resource management chapter-09.pdf
ssuser00e6e21
 

Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)

  • 1. Logical Vulnerabilities in Web Applications Nilanjan De, CTO, iViZ Security Inc. Nov 2013 © iViZ Security Inc 0
  • 2. Introduction • iViZ - Cloud based Application Penetration testing – Zero False positive guarantee – Business logic testing along with 100% WASC class coverage • 3000+ applications tested till date • Average number of logical Vulnerabilities per non-trivial and critical app ~ 2-3 Nov 2013 © iViZ Security Inc 1
  • 4. Logical vs Technical Flaws Logical Flaws Technical Flaws Occurs due to logical design weakness and not due to wrong coding. These flaws exploit legitimate processing flow of an application to cause a negative consequence to the application owner or user. Most often occurs due to wrong or insecure coding or missing security controls. Finding logical vulnerabilities is an Automated scanners can largely find Undecidable problem. Hence it is difficult these vulnerabilities for automated scanners to find them in all cases. Typically testing or exploiting these require multi-step operations and hence makes it more difficult for automated scanners to find them. Nov 2013 These flaws typically have well known and reliable test-cases. © iViZ Security Inc 3
  • 5. Common Logical Vulnerabilities Nov 2013 © iViZ Security Inc 4
  • 6. Payment gateway price manipulation • Manipulation of price when the request is transferred to payment gateway and back. • Attacker can purchase at a different price than actual(usually lower or zero price). Especially dangerous for items where the fulfillment or delivery is immediate, e.g., digital downloads, e-tickets, phone recharge, etc. Nov 2013 © iViZ Security Inc 5
  • 7. Discount coupon abuse • Apply discount coupon on large number of items and then cancel the items but retain the discount • Use same coupon multiple times or use multiple coupons on the same order. • Use single time use coupons in multiple orders by initiating the orders simultaneously. • Use expired coupons • Predictable coupon codes Nov 2013 © iViZ Security Inc 6
  • 8. Password Recovery • Weak “Do not have access to registered email?” functionality. • Guessable secret questions – – – – When is your birthday/anniversary? Where were you born? Mother’s maiden name? Where did you go on honeymoon? • Multi-step password recovery process bypass. • Pre-authenticated password change functionality abuse Nov 2013 © iViZ Security Inc 7
  • 9. Negative Transfer • Transfer negative amount from your account and increase your bank balance and decrease your victims balance. – Only client side validation and lack of server side validation leads to such flaws – Relatively less common these days but we still find such flaws • Transfer a very large positive amount from your account and obtain the same result as above – Positive amount bypasses client side and server side validation – Backend legacy code cannot handle above 32-bit integers, therefore due to integer overflow, treats them as negative integers Nov 2013 © iViZ Security Inc 8
  • 10. Denial of Service • Lock out legitimate user – Abuse of legitimate functionality to lock user on repeated failed logins. – Can be misused by attackers to lock victim’s account. • Lock resources without completing transaction – Eg, bus tickets, movie tickets – Deduct charges before fulfillment of order. Nov 2013 © iViZ Security Inc 9
  • 11. Resources • List of common Logical Vulnerabilities – http://www.ivizsecurity.com/50-common-logicalvulnerabilities.html • OWASP – https://www.owasp.org/index.php/Business_logic _vulnerability – https://www.owasp.org/index.php/Testing_for_b usiness_logic_(OWASP- BL-001) Nov 2013 © iViZ Security Inc 10
  • 12. Questions? Nov 2013 © iViZ Security Inc 11