Real-Life Example of a 'Business Logic Defect' (Screen Shots!)

NOTE: This is just an example, this site is NOT the actual site vulnerable to this issue ... I know better :)


Sometimes, curiosity just gets the best of me.


For example, I saw a site the other day, and I wanted to buy more than the site offered me at one given purchase.  This troubled me, because I didn't want to make separate purchases ... so I set the hamster loose on the wheel and tried something interesting that should never have worked.  This type of vulnerability is a manipulation of application business logic (at least our definition of it) and again, should never, ever work.


Except that it does, way more often than it should.

 

Tickets_Drop_Down1.jpg

 

 

So ... again, I'm a curious sort, and I wondered, how would the back-end application logic behave if I simply modified the data that was sent to me.  I'm not sending any attack strings or anything obviously malicious, so it's not setting off any alarms ...

 

3-1-2011 12-29-32 AM.jpg

 

 

Then ... I simply made a small modification.  Again, I repeat - this is not the actual site/code that was vulnerable so stop Googling already.  I took one more screen shot before I clicked "Add to Cart" and performed a check out ... mouth agape.

 

3-1-2011 12-32-18 AM.jpg

 

I win.  Logic fail.

 

Wouldn't it be really interesting if there was an automated way to start testing for these types of application logic defects in code out there?  Hrmm... 

Comments
(anon) | ‎03-04-2011 10:07 AM
I encounter this all the time, mostly with the jazzy snazzy client side UI stuff that makes the app seem so nice and smooth and responsive. They have the client side check all kinds of things, length of fields, is this a value within the parameters we set out etc etc, and then they fail to check them again where it really matters, on the server, after the data has passed through my nefarious little hands ;) An automated way would be cool although the hardest part of that is application awareness. I've found that you get the best results if you can teach your scanner in a some what limited fashion, all about your app. That isnt going to teach your scanner what is a good and bad response based on app logic though. Scanners are basically all similar. all send a request and analyze the response for patterns. You'd need to basically define custom checks for each app I think. who has time for that though.. lol
(anon) | ‎03-04-2011 03:20 PM

Ouch.

 

I thought THAT kind of craziness ended years ago in Web apps...aparrently I need to try harder...

(anon) | ‎03-04-2011 04:45 PM

Worse are sites that rely on the client to perform calculations of totals, so that you could change the "$75.00" to something like "$0.75" to give yourself a small discount on that 30-ticket purchase.  How would you scan for that?  I'd say the solution is to educate developers that the client side is never to be relied upon for validation, except that we're already supposed to be doing that, and it doesn't seem to help much.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation