[TOC]
# Application Logic
Application logic also called Business logic encompasses set of rules that defined how the application operates.
Login Logic
# Logic Flaw Vulnerability
Logic flaws occurs when attacker can circumvent the rules.
We can send invalid or unexpected value to the server .triggering unexpected behavior
>Logic flaw is difficult be detective by auto scanner
bug bounty hunters (Target)
## Arise
Logic Flaw typically arise due to the developer making flaw assumption about how the user interact with application.
Common factor of logic flaw include:
- Inadequate Validation of user input
- Complication systems or large code
Common Functions may have logic flow
- Authentication
- Transactions
## Impact
The impact of this vulnerability depend on functionality it is related to.
# Type of Logic flawed
Identify and Exploit
Business Logic flawed individual unique, but we can grouped base on their initial design mistakes.
## Excessive Trust in Client-Side Controls
Developer suppose user can only interact with server through the browser.
-> The assumption of Business logic Flaw
`Browser(JavaScript/HTML/CSS) <--> Application`
In fact we can utilize the proxy to intercept the request from the browser and modify the value, and send the manipulated data back to the application
->Bypass Front End Control
Browser <--> Proxy(Malicious Tamper) <--> Application
### LAB 1 - Excessive Trust Client-Side Control
#### Mapping the target & Recon
#### Analysis Attack Surface
==Evaluated User Input==
Sending the product price from the client to the server is a risky behavior.
#### Exploit
We can try to buy it with a price of 0.10.
Solved!
### LAB-2 : 2FA can be triggered by another User and Brute force
#### Mapping the target and Recon
- Crawl Target (Scanner)
- Manually testing functionality
#### Analysis Attack Surface
- Parameters
- Two-Factor Authentication Flows
User (login) -> Security Code (email) -> /myaccount
#### Identifying
Analysis Authentication Behavior
When we login in, we will receive the 2FA mail
POST /login
It will set-cookie
There have two parameters. one is verify, another is session.
GET /login2
Every time we resend the `/login2` GET request, our mail will receive 2FA security code
verify parameter -> potential generation of 2FA code
If the verify parameter is not valid for the user or not a winner, we will not receive the mail.
So, we can tamper the cookie value to trigger the
specific user generate security code
This vulnerability is flaw assumption about Supposing user didn't temper the cookie value in client side!!
#### Exploit
When we trigger the Carlos's 2FA security code and send it to Carlos's email.
There is no protection with brute force login!!
We can attempt to brute force to guess Carlos's security code.
Solved !!
## Unconventional Input
When developers only consider situations and restrict on the front-end JavaScript code, it becomes easy to tamper with values using a proxy.
### LAB-High Level logic vulnerability
#### Mapping the Target & Recon
#### Analysis Attack Surface
If the quantity is negative, it may affect the price and become negative!!!
We can try testing the quantity parameter if the restrict logic is implemented on the front-end client !!
#### Identify
#### Exploit
If want to buy Jacket we can
Solved!!
### LAB-Low Level Logic Flaw
#### Mapping the Target
#### Analysis Attack Surface
Parameters
We know Total price = price * quantity
Functionality
- Place Order
We can attempt to test the quantity parameter to find the designed flaw
#### Identify Logic Flawed
Quantity is not supposed to be negative
But we can attempt to buy a huge number of products to determine if there is an overflow issue with the price variable.
PHP Integer OverFlow
Now we discover there is an integer overflow issue
Furthermore, after continuous purchases of the jacket, the price becomes positive
#### Exploit
We can buy another product to make the price less than the current credit we have.
Solved !!
### LAB 3 - Inconsistent handling of exceptional input / Input not check length But check permission have length limit !
#### Mapping the target # Recon
Discovering Contain
/admin
#### Analysis Attack Surface
- [x] Evaluated User Input
Functionality
- Register Processing
#### Identify
Testing Register functionality
- Same Account Testing
(space)meowhecker
Evaluated User Input
- Username
- Email
There is inconsistent handling of email input
Register allows us to use a very long email to register
But my-account will automatically intercept too long email strings
#### Exploit
Normal User
If the my-account endpoint will automatically intercept too long email strings, and this value will be processed by some validation, it could be exploited.
```
intercept(emial)
emaill = 'meow......(intenal-email)@our-email-server'
....
If (email = internal-email){
do some thing ~~~
}
```
Measure Email offset XD
pattern
```
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4
```
It allow 255 Char
```
baaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%40dontwannacry.com.exploit-0a5e00dd04fcc30180d6b10801da00f0.exploit-server.net
```
Solved!!
## Making Flawed Assumption about user behavior
One of the common Flawed assumption is macing flawed assumption about user behavior
### Excessive trust the Registered User
In Some application, when the user passed the strict control initially, it will be seen as trusted, Resulting lax enforcement control.
Business rule and security measure probably not consistent implement over the application
This can lead to potentially dangerous loopholes
### LAB- Register User can Modify mail to Internal Mail
#### Mapping the target & Recon
Content Discover
#### Analysis Attack Surface
login
change email
register
Parameters
/my-account/change-email -> probably allow the user already been Email authenticate to change arbitrary mail to sensitive or internal mail
#### Identify
#### Exploit
Solved !!
### Remove Parameters or value
Browser may prevent the user form submitting a form without a request value
When probing for this flawed assumption, we should remove each parameter in turn and observe the response.
- One remove the parameter at a time to ensure all related code path are archived
- Deleting the value or the name of parameter and value separately.
URL, Post Data, Cookie
### LAB- Server-side no to check Current password parameter whether exists ?
#### Mapping Target & Recon
Crawl & Manual & Content Discovery
#### Analysis Attacker Surface
Parameters
Application Functionality
- Change Email
issue: Didn't require the password
but it have CSRF token !
- Change Password
- Admin interface
`/admin`
#### Identify
we could use proxy bypass the front-end control
- CSRF
- username
- password
There is flawed assumption to allow us the change the password without the current password
#### Exploit
Username -> controllable
Current-password-require -> bypass
Change the administrator password to escape privilege
Solved !!
### LAB Removing Token Parameter to reset password
#### Mapping the Target & Recon
#### Analysis Attack surface
parameters
Functionality
- Reset password
- Email Change
#### Identify
Evaluated Reset Password functionality
Reset password URL
`/forgot-password?temp-forgot-password-token=3jg5m8ar4pdyqqfh3cpbhgqv9mn2861h`
parameter
- Token
- User
Here, we found the interesting response 302 found
#### Exploit
We can attempt to login in carlos:meowhecker
Solved !
### Intend Sequence
Many application rely on predefined workflow to complete certain functionality
- multi-factor authentication
- transactions ..
If attacker didn't follow the intend sequence, the flawed assumption will be exploited to bypass some necessary Step and compromise whole application !!!
### LAB Management page not check 2FA session
#### Mapping
#### Identify & Exploit
Solved
### LAB- Insufficient Workflow validation
#### Mapping the Target & Recon
#### Analysis Attack Surface
Parameter
Functionality
- change-email
- place order
#### Identify & Exploit
Testing Place order
-> normal workflow
Skip certain Step testing
`/cart/checkout` I think it probably check current credit have to great then the the price of the product
we add jacket to our car
And skip `checkout`
We buy the jacket (1337.00)
**Your order is on its way!**
### LAB- Drop the identify select request to privilege escalate
#### Mapping the Target & Recon
#### Analysis Attack Surface
Parameters
Functionality
- Select role
- user
- content auther
#### Identify & Exploit
Select ROle
Attempting to skip the select-role
Due to the request of select-role is following the login Post request. we can
utilize Intercept to drop the request.
```
LOGIN:session
yKwfwfSO9hYMnuMbTlIT5Sl35krlWG56
```
DROP
back to home page
solved !!
## Domain-specific Flawed
In real word testing, we will encounter various business domain site.
IF we want to find the Business logic flaws in those site, Reading the specific document or asking the expert to understand the specific domain knowledge is necessary. It will help us to identify the logic flaw more easy in application context.
### LAB-Flawed enforcement of business logic
#### Mapping the Target & Recon
#### Analysis Attack Surface
Functionality
- Place Order -> cart/checkerout
- Sing up newsletter -> We will receive new Coupon (haha) -401 price
WorkFlow
Place Order + Coupon
Not enough store credit for this purchase
#### Identify
Try the skip Check out steps
Fail !
Testing Sing up newsletter
```
SIGNUP30
```
I guess it will only check the current Coupon are applied, so we can swap the both coupon to bypass the exists coupon limit.
#### Exploit
Solved !!
### LAB-Infinite money logic flawed
#### Mapping the Target & Recon
#### Analysis Attack Surface
Parameters
Functionality
- Gift code
- Update email
- Coupon
- Place Order
#### Identify & Exploit -->
Testing Gift code
gift code
```
b5QqZ0nyJa
```
IF we buy the magic-car again
Using Macro automatically increase the money
setting Scope
If we macro setting is finished , we can use the repeater or intruder to increase our money !!!
Send to intruder
```
GET /product?productId=1&x=§1§
```
Send 500 -> `3*500 = 1500`
Threading = 1 ==impotent!!== These is a workflow. we can't use multi-threading
Solved
## Providing an Encryption oracle
(skip !!!)
## Email Address parser discrepancies
Email Format -> local-part@domain
Some website will extract the domain form the email to determine which organizations send the mail
But we can Attempt to manipulate the mail address to access some sensitive functionality. e.g.
### Survey
#### Quoted characters
RFC Document
https://datatracker.ietf.org/doc/html/rfc2822#section-3.2.2
local-part 通常有特殊含義的字符時,會用雙引號包起來
```
"user.name"@example.com 被解析為 user.name@example.com,其中點號(.)被保留,而不會引起語法錯誤。
"user"name"@example.com 被解析為 user"name@example.com,其中引號(")是 local-part 的一部分,反斜杠讓它能夠合法存在。
---------------------------------
"\""@example.com
Local-Part -> "
Domain -> example.com
"@"@example.com
Local-Part -> @
Domain -> example.com
```
#### FWS / Comments
https://datatracker.ietf.org/doc/html/rfc2822#section-3.2.3
Folding White Space 是電子郵件格式中為了增強可讀性和兼容性而設計的機制,允許在適當的位置對長行內容進行折疊
在過長地方&空白字符處 插入-> CRLF (Carriage Return Line Feed)
```
(foo)user@(bar)example.com
foo and bar -> be ignore by parser
local-part = user
domain = example.com
```
#### UUCP (Unix to Unix copy protocol
UUCP is an ancient protocol
Using situation -> No internet / low bandwidth
```
meowhecker.com!meowhacker
Local Part -> meowhecker
domain -> meowhecker.com
```
Sendmail(電子郵件伺服器) 8.15.2.
```
oastify.com!collab\@example.com
\@ -> escape @
```
Postfix (電子郵件伺服器) 3.6.4
```
collab%psres.net(@example.com
1. -> example.com 2. -> collab%psres.net
```
### Parser discrepancies
#### unicode overflow
Attempting Bypass multiple '@' limitation !
PHP char function
Sign in with Wallet
Connect another wallet