Logic flaws

Heavily inspired by PortSwigger - Web Security Academy - Business logic vulnerabilities

Trust in client-side controls

If the app relies too much or solely on client-side controls, you may be able to intercept requests, and e.g. change the price of an item.

Unconventional input

  • Negative numbers

  • Large numbers (integer overflows)

  • Long strings (they may get truncated only after the validation, to something you can use to exploit it)

(Un)trustworthy users

If privileged functionality is dependent on e.g. email address (domain) and you are able to register an account and then change the email address accordingly (without the need to revalidating it), you may be able to escalate you privileges.

Mandatory input

You may be able to trigger different logic flows inside the app by removing parameters. Only remove one at a time to ensure reaching all code paths and also remove only the value as well as name and value (may be handled differently on the server). Complete multi-stage processes, as changes may just reveal something further down the line.

E.g.

  • Remove the "old password" parameter from reset password request and try to reset another accounts password

  • If the password reset request contains the username, just change it

Multi-stage flows

Just mess with the sequence by:

  • Skipping steps (drop requests, GET as well as POST)

  • Doing steps more than once

  • Return to a step later on

  • etc.

Domain-specific flaws

Take a close look stuff like vouchers and gift-cards.

  • Try to apply vouchers multiple times

  • Try to apply different vouchers, different order, multiple times, etc.

  • If you are able to purchase gift-cards for a reduced price (e.g. using vouchers), you may be able to kinda "print" money.

Encryption oracle

If user-controllable data is encrypted and the resulting ciphertext is then made available to the user, the user can use this to encrypt arbitrary data. If the app also uses encrypted data (using the same algorithm) in sensitive functions, the user can use this to craft his own payload. Sometimes even a decrypt function can be found, which makes crafting payloads a lot easier.

PreviousClickjackingNextOS command injection

Last updated