# Logic flaws Heavily inspired by [PortSwigger - Web Security Academy - Business logic vulnerabilities](https://portswigger.net/web-security/logic-flaws) ## Trust in client-side controls If the app relies too much or solely on client-side controls, you may be able to intercept requests, and e.g. change the price of an item. ## Unconventional input * Negative numbers * Large numbers (integer overflows) * Long strings (they may get truncated only after the validation, to something you can use to exploit it) ## (Un)trustworthy users If privileged functionality is dependent on e.g. email address (domain) and you are able to register an account and then change the email address accordingly (without the need to revalidating it), you may be able to escalate you privileges. ## Mandatory input You may be able to trigger different logic flows inside the app by removing parameters. Only remove one at a time to ensure reaching all code paths and also remove only the value as well as name and value (may be handled differently on the server). Complete multi-stage processes, as changes may just reveal something further down the line. E.g. * Remove the "old password" parameter from reset password request and try to reset another accounts password * If the password reset request contains the username, just change it ## Multi-stage flows Just mess with the sequence by: * Skipping steps (drop requests, GET as well as POST) * Doing steps more than once * Return to a step later on * etc. ## Domain-specific flaws Take a close look stuff like vouchers and gift-cards. * Try to apply vouchers multiple times * Try to apply different vouchers, different order, multiple times, etc. * If you are able to purchase gift-cards for a reduced price (e.g. using vouchers), you may be able to kinda "print" money. ## Encryption oracle If user-controllable data is encrypted and the resulting ciphertext is then made available to the user, the user can use this to encrypt arbitrary data.\ If the app also uses encrypted data (using the same algorithm) in sensitive functions, the user can use this to craft his own payload.\ Sometimes even a decrypt function can be found, which makes crafting payloads a lot easier. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/logic-flaws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.