Real-Life Example of a 'Business Logic Defect'

Sunday, March 13, 2011

Rafal Los


NOTE: This is just an example, this site is NOT the actual site vulnerable to this issue ... I know better...

Sometimes, curiosity just gets the best of me.

For example, I saw a site the other day, and I wanted to buy more than the site offered me at one given purchase.  This troubled me, because I didn't want to make separate purchases... so I set the hamster loose on the wheel and tried something interesting that should never have worked. 

This type of vulnerability is a manipulation of application business logic (at least our definition of it) and again, should never, ever work.

Except that it does, way more often than it should.


So... again, I'm a curious sort, and I wondered, how would the back-end application logic behave if I simply modified the data that was sent to me.  I'm not sending any attack strings or anything obviously malicious, so it's not setting off any alarms...

3-1-2011 12-29-32 AM.jpg

Then... I simply made a small modification.  Again, I repeat - this is not the actual site/code that was vulnerable so stop Googling already.  I took one more screen shot before I clicked "Add to Cart" and performed a check out... mouth agape.

3-1-2011 12-32-18 AM.jpg

I win.  Logic fail.

Wouldn't it be really interesting if there was an automated way to start testing for these types of application logic defects in code out there? Hrmm...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Vulnerabilities Web Application Security Secure Coding Website Security Business Logic Defect
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.