Post

Business Logic Vulnerabilities: Cheatsheet

Posted Updated
By Shervoni
2 min read
Business Logic Vulnerabilities: Cheatsheet

Business Logic Vulnerabilities: Comprehensive Testing Cheatsheet

1. General Testing Approach

  1. Understand Workflows:
    • Analyze how key actions like registration, checkout, or access control work.
  2. Manipulate Parameters:
    • Use tools like Burp Suite to intercept and modify requests.
  3. Simulate Edge Cases:
    • Test with unusual inputs (negative values, large numbers, nulls).
  4. Observe Application Responses:
    • Check for unintended behaviors or inconsistencies.

2. Testing for Different Businesses and Scenarios

E-commerce Websites

  • Price Manipulation:
    • Modify product price during checkout.
    • Change quantities to negative or zero values to alter the total cost.
  • Coupon Exploits:
    • Apply multiple coupons in an unintended sequence.
    • Reuse expired or one-time-use codes.
  • Discount Abuse:
    • Use referral or loyalty points in unintended ways.

Example Payloads:

  • /checkout?price=0.01
  • /cart?quantity=-10

Banking or Financial Apps

  • Balance Manipulation:
    • Adjust transaction amounts to trigger incorrect deductions or credits.
  • Interest Calculation Exploits:
    • Submit large or invalid inputs to manipulate interest rates or fees.
  • Fund Transfers:
    • Intercept and modify recipient details during fund transfers.

Example Payloads:

  • /transfer?amount=-1000
  • /loan?rate=9999

SaaS Platforms

  • Role Escalation:
    • Change user roles (e.g., from user to admin).
  • Account Access:
    • Modify email or username parameters during account creation.
  • Subscription Exploits:
    • Change subscription duration or tier in requests.

Example Payloads:

  • /updateRole?role=admin
  • /signup?email=admin@target.com

Authentication and Security

  • 2FA/MFA Bypass:
    • Reuse old verification links or tokens.
    • Modify user identifiers in MFA URLs.
  • Password Reset:
    • Change target email in reset requests to hijack accounts.

Example Payloads:

  • /reset?user=carlos
  • /verify?code=12345

Social Media and Forums

  • Content Manipulation:
    • Edit or delete other users’ posts via IDOR.
  • Profile Hijacking:
    • Change usernames or profile links in transit.
  • Abuse of Privacy Settings:
    • Gain access to hidden content by altering access parameters.

Example Payloads:

  • /editPost?id=123
  • /profile?user=admin

3. Specific Testing Techniques

Intercept Requests

  • Use Burp Suite or OWASP ZAP to capture and modify HTTP/HTTPS requests.

Fuzzing Input

  • Test edge cases with tools like Intruder:
    • Negative values (-1), nulls, or large numbers (999999).
    • Invalid characters or data types.

Analyze Server Responses

  • Look for:
    • Changes in response codes (200 OK, 500 Internal Server Error).
    • Variations in content length or structure.

4. Real-World Examples

1. Price Manipulation in E-commerce

  • Add an item to the cart, intercept the request, and modify the price:
    • Original: /checkout?price=50
    • Modified: /checkout?price=0.01

2. Password Reset Flaw

  • Use “Forgot Password” and intercept the request:
    • Original: email=carlos@example.com
    • Modified: email=attacker@example.com

3. Bypassing 2FA

  • Modify MFA URL:
    • Original: /verify?user=wiener
    • Modified: /verify?user=carlos

5. Best Practices for Developers

  1. Validate All Inputs Server-Side:
    • Avoid relying solely on client-side validation.
  2. Enforce Strict Business Rules:
    • Ensure logical constraints are followed at every step.
  3. Document Workflow Assumptions:
    • Clearly outline expected behaviors and edge cases.
  4. Perform Regular Testing:
    • Simulate real-world attack scenarios during QA.

Quick Cheatsheet

| Scenario | Test Case | Impact | |——————————|—————————————————|———————————-| | Price Manipulation | Modify prices or quantities in cart requests. | Financial loss | | Role Escalation | Change role parameters (e.g., role=user). | Unauthorized admin access | | 2FA Bypass | Reuse or alter MFA tokens or URLs. | Account takeover | | Coupon Exploits | Reuse or chain conflicting coupons. | Fraudulent discounts | | Password Reset Flaws | Change email in reset requests. | Account takeover |

By understanding workflows and creatively testing edge cases, you can uncover critical business logic flaws for bug bounty programs.

Cheatsheets
Cheatsheet
This post is licensed under CC BY 4.0 by the author.