Business Logic Bugs!! What is that?!!
Hi again, this topic is about something special it's about Business Logic errors Logical bugs what is this? we will know.
What is Business Logic?
It is how the data (which the website receives) created, stored and modified and this developed for you, let's take an example for that of checkout process:
- the form which takes your address and information
- the second form will take payment details
- the payment will be processed
- On successful transaction, the page will show congratulations
So know what is the Bugs or Error which will be in this?! let's give some example for that (this is not all of Bugs/Errors):
- now I'm in an e-commerce store and I'm sopping and I choose a product I add it to my car and I opened it to checkout and get the product but when I checkout I added a lower cost and the process will continue and get the product with low cost, another thing, if I can add the quantity on the cart I can try to add a half like that 0.5 if there is a bug you can get the product with 50% discount :*.
There is a lot of examples for this bug on the internet and these are
piece of them:
- https://hackerone.com/reports/549364
- https://hackerone.com/reports/422279
- https://hackerone.com/reports/397792
- https://hackerone.com/reports/331691
What is the impact of Logical bugs?!
- User Privilege Escalation
- Access to Unauthorized Information
- Identity Extraction
- Manipulating Shopping Cart & Payment Systems
- Getting More Discounts
- Extending Subscription
- Downloading Data of other Users
- Bypass Security Restrictions
- Denial of Service
why this bug is difficult to find?!
This bug can't be found using any scanners so it needs your work, your hand, and your brain to find it because the security scanners just find the vulnerabilities and scanners maybe can't understand the logical processes. Another thing the Firewalls can't detect the Business Logic Errors/Bugs because of these systems designed to detect malicious attacks like SQL injection, XSS, CSRF, and LFI. The last thing is that you should know your application very well to start to find logic bugs.
in the end, you should be creative and think out of the box on your Hunting or pen-testing, I hope this topic helped anyone, Happy Hacking :P.
see you soon, Goodbye.
Comments
Post a Comment