Anatomy of Business Logic Vulnerabilities

Views:
 
Category: Entertainment
     
 

Presentation Description

Understanding Business Logic Vulnerability Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding

Comments

Presentation Transcript

Bikash Barai, Co-Founder & CEO:

Bikash Barai , Co-Founder & CEO Anatomy of Business Logic Vulnerabilities

About iViZ:

About iViZ iViZ – Cloud based Application Penetration Testing Zero False Positive Guarantee Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage Funded by IDG Ventures 30+ Zero Day Vulnerabilities discovered 10+ Recognitions from Analysts and Industry 300+ Customers Gartner Hype Cycle- DAST and Application Security as a Service

PowerPoint Presentation:

Understanding Business Logic Vulnerabilities

Understanding Business Logic Vulnerability:

Understanding Business Logic Vulnerability Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding # Business Logic Vuln /App: 2 to 3 for critical Apps Only 5 to 10% of total vulnerabilities Difficult to detect but has the highest impact

PowerPoint Presentation:

7 Deadly Sins!

Increasing your Bank Balance :

Increasing your Bank Balance Impact You can increase your bank balance just by transferring negative amount to somebody else How does it work? No server side validation of the amount field Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab , Burp Suite, Paros etc) How to fix? Add server side validations in the work flow

Buying online for free!:

Buying online for free! Impact Buy air tickets (or anything that you like) at what ever price you want! How does it work? Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. How to fix? Create validation process between the application and payment gateway to know the exact amount transferred

Stealing one time passwords:

Stealing one time passwords Impact You can the steal the One Time Password of another user despite having access to their mobile, email etc How does it work? Application send the OTP to the browser for faster client side validation and better user experience How to fix? Conduct server side validation. Do not send OTP to browser.

Have unlimited discounts:

Have unlimited discounts Impact You can enjoy unlimited discount How does it work? You can add 10 products to the cart and avail the standard (e.g. 10%) discount Remove 9 products from cart after that but the application still retains the discount amount How to fix? Re calculate discount if there is any change in the cart

Get 100% discount with 10% discount Coupons:

Get 100% discount with 10% discount Coupons Impact You can get 100% discount with a 20% discount coupon How does it work? Same coupon can be used multiple times during the same transaction How to fix? Expire the coupon after the first use and not after the session ends

Hijacking others account:

Hijacking others account Impact You can hijack anybody’s (use your imagination) account. How does it work? Weak password recovery process Choose “Do not have access to registered email access” option Brute force the answer to secret question. How to fix? Create stronger password recovery option Recovery links only over email

DOS your competition:

DOS your competition Impact You can stop others from buying products How does it work? You try to book a product and start the session but do not pay Open millions of such threads and do not pay Application does not have “expiry time” or other validation of IP etc How to fix? Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible)

PowerPoint Presentation:

Detection and Prevention

How to detect?:

How to detect? What helps? Threat Modeling and Attack surface Analysis Break down the key processes into work-flows/flow chart to detect possible manipulations Penetration Testing with Business Logic Testing by Experts Design Review What does not help? Automated Testing with any tools (neither Static nor Dynamic) Testing conducted by a team with less expertise Standard Code review

How to prevent?:

How to prevent? Design the application/use case scenarios keeping Business Logic Vulnerability in mind Conduct Security Design Reviews Independent /Third Party Tests (within or outside the company) Comprehensive Pen Test with Business Logic Testing before the Application goes live

PowerPoint Presentation:

Resources

Top Free Online Resources:

Top Free Online Resources Checklist for Business Logic Vuln : http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP-BL-001) Webscarab : https://www.owasp.org/index.php/OWASP_WebScarab_Project

PowerPoint Presentation:

After 7 Sins.. Now be prepared for Karma!

How to be bankrupt in a day?:

How to be bankrupt in a day? Denial of Dollar Attack! “ Piratebay ” founder proposed launching this attack on the law firm which fought against him Example working model: Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. Send millions of “1 Cent transaction”

PowerPoint Presentation:

Stay safe !

Thank You bikash@ivizsecurity.com Blog:  http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1  :

Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin: http ://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1

authorStream Live Help