Web Security Academy — Business Logic Vulnerabilities Walkthrough
These kind of vulnerabilities are harder to detected by defensive security tools, they don’t involve injecting known payloads. In fact, the involve manipulating the parameters sent in the request and those received in the response from an API/Endpoint.
In this article, I would like to share with you, my fellas readers, how I was able to complete all APPRENTICE labs from Web Security Academy by Portswigger.
What do we understand by vulnerabilities in business logic?
In my own words, this vulnerability arises from insufficient validation of each parameter received from an API/Endpoint based of the required business logic. For instance, if there is a parameter for price, it should only accept a positive numbers, not negative ones. Additionally there is lack of validation in terms of procedures or functions from a software development perspective.
Excessive trust in client-side controls
First at all, Im logged as Wiener, and I noticed I had 100 $ in my pocket, so I need to be creative to buy a jacket worth more than $1000 USD
The first endpoint I reviewed was /cart . As you can see from the body request there are a few, but significant parameters to test.
To get the Jacket “for free”, I sent the same request to the Repeater and changed the price to $2
Now , I was able to but the jacket !
Lab Completed!
High-level logic vulnerability
You have to logged as wiener first, and Identified all available endpoints.
In this case, the endpoint is the same one I identified in previous lab, but the “price” parameter was not present.
I experimented with “quantity” parameter,and as we can see, it was not properly handled. I was able to add negative count, which allowed for the total amount to be decrease.
I used this “feature” to lower the total cost, allowing me buy the jacket for less than 100 bucks.
Lab solved!
Inconsistent security controls
So, in based of lab description, the first thing I tried was visit /admin section and received this message.
So I created an account and logged in, this lab was easy.
The option “update email” was the method to bypass the security control,which allows users with a domain @dontwannacry.com. Therefore, I updated my email to include this domain,
Then, I was able to log and delete the account named “carlos”
Flawed enforcement of business rules
This lab was interesting, so let’s get started.
When I logged in, I noticed a coupon for a new customer, which was the first sign
Additionally, the second sign wash when I registered my email for the newsletter and I received another coupon
I selected the jacket and proceeded to checkout, I applied both coupons,which reduced the total amount.
I updated email and registered again for a newsletter, is a new email, so new coupon ;)
I was able to use the same coupon but with another new email
Additionally,When I selected new product, I received a another coupon. Thena after removing that product and selecting a different one, I received yet another coupon, This process was repeated, and all coupons were applied, further reducing the total amount.
Lab complete!
Thank you for your time, if you find any kind of mistake,please feel free to reach out to me.