Business Logic Weaknesses
What is Business Logic?
Business Logic is translated from English to Turkish as Business Logic.
The rules for processing data and interpreting the data that an existing application processes are called business logic.
How Do Business Logic Vulnerabilities Occur?
Business logic vulnerabilities, like most other vulnerabilities, arise from inadequate checks of the data received from the user or from thinking that the value coming from the user will come in a certain format.
Identifying Business Logic Weaknesses
As mentioned in the title above, it is necessary to check whether there is a difference between the answers received when we give different inputs than the ones the software expects from us, based on the inputs that the software developer thinks is not necessary to check.
For example; Let's say you have an E-Commerce site and you want to buy a product from this site. When the product you want to buy is added to the cart, the price of the product or the parameters of the number of units purchased appear among the outgoing requests. The number of units of the product is a numerical value and it is very simple to estimate how the software works in the background.
When you read the example code snippet above, simply changing the number of the product quantity to "-1" in the outgoing request can enable you to convert your cart amount into negative values.
Here, the values received from the user are generally prevented from changing to negative numbers on the frontend side, but when attackers edit the request and send it via proxy, they can send the request to the server without being blocked by the frontend.
It is possible to change the product price on an example e-commerce site given above. And it may cause the e-commerce site to incur great losses.
Exploit Example of Business Logic Vulnerabilities
Our first example is a PortSwigger lab called “Excessive trust in client-side controlsWe will solve our question.
In the question, we were asked to purchase “Lightweight l33t leather jacket” as a task.
The user account is given as “wiener:peter”.
We log in with the information provided.
When we log in to the account, we can see that we have $100.
The item we need to buy appears to be $1337. First of all, when we add the product to the cart, we review the outgoing requests.
When we say “View details”, the screen on the left appears and we intervene here with our “Burp Suite” tool.
The price value appears in the request in the relevant field. This parameter shows us that the price of the item we need to buy is $1337.
When we edit the Price value and change it to “100” and send the request. We expect the product to appear as $1 in the cart.
When we go to the cart, the product appears as $1 as we expected. When we click on the place order button, a warning appears informing us that we have solved the question.
Things to Do to Avoid Business Logic Errors:
- Before the application is offered to users, it must be tested by a test expert.
- Software developers should not make assumptions about the values they receive from the user, and it should be ensured that the data received from the user is processed correctly on the server side.