code

Breaking Application Logic with Negative User Input

Written by Yuval Batan on

Breaking Application Logic with Negative User Input

Written by Yuval Batan on


Introduction

While delivering impressive features, the complex logic that powers modern web applications can create unforeseen security weaknesses. Even seemingly minor flaws in these systems’ underlying business logic can be exploited for significant gain.

This article will discuss a critical finding discovered during a recent penetration test for a client’s web application. We identified a business logic bypass within the checkout system, allowing manipulation of product prices to result in unauthorized funds being credited to the user account. It is important to understand that payment mechanisms are particularly sensitive due to their critical role in financial transactions. We’ll delve into the specifics of this vulnerability, explore the potential impact caused, and discuss the steps taken to remediate this vulnerability.

What is Business Logic Bypass Vulnerability?

While traditional security vulnerabilities exploit weaknesses in code or configuration, business logic vulnerabilities occur from flaws in the application’s core logic. These flaws arise when data’s intended flow and validation can be manipulated, allowing attackers to perform unauthorized actions. Unlike traditional vulnerabilities, business logic vulnerabilities may not be readily detectable through automated security scans and require a deep understanding of the application’s functionalities. This highlights the importance of thorough backend validation alongside client-side checks. Common examples of business logic flaws include excessively trusting client-side controls (like hidden form fields), failing to handle unexpected user input, and making incorrect assumptions about user behavior. These vulnerabilities can have a severe impact, allowing attackers to bypass access controls, manipulate data, or even steal sensitive information.

Real Life Scenario

The following showcase will demonstrate the impact and importance of a business logic bypass vulnerability in a real-life scenario. The web application uses an online checkout system, and every transaction impacts and reduces the application’s account balance.

For demonstration purposes, we will use the Burp Suite tool, which implements a proxy from end to end, to intercept and modify the requests passed from the client to the server. 

When purchasing a product from the application, several parameters are passed in the request, including the chargeInBalance, which is responsible for the product price. The following image displays an example of a request passed after a successful, regular product purchase costs 35.0 ILS:

Successful Purchase is Made in the Application

The chargeInBalance parameter is passed via the client side, which can be dangerous when modifying it and is not being validated on the server side.
This behavior can be exploited by purchasing a product and modifying the request’s chargeInBalance parameter value to a negative integer that will be accepted on the server side and results in gaining the money into the account’s balance as follows:

Illegitimately Increasing the Account Balance

Mitigation

To mitigate this vulnerability, it is recommended to apply the following:

  • Validate the user input according to the business logic. For example, do not allow user-controlled input with negative values for fields representing quantities or prices.
  • Do not pass sensitive parameters such as prices via the client side. If not possible, compare the parameter value against the original price on the server side. This ensures any client-side modifications to the price are discarded, and the business logic relies on the trusted server-side value.

Conclusion

In conclusion, this business logic bypass exposes a critical vulnerability that allows users to manipulate the system and gain unauthorized money to their account’s balance. This damages the platform’s financial integrity and undermines user trust. Addressing this issue is essential to prevent financial loss and maintain a secure environment.

Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in business logic deployments. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their business logic security and protect valuable data from potential threats.

References