SlideShare uma empresa Scribd logo

Anatomy of business logic vulnerabilities

D
DaveEdwards12
Tecnologia
1 de 21
Anatomy of Business Logic Vulnerabilities Bikash Barai, Co-Founder & CEO Jan 2013 © iViZ Security Inc 0
About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a Service Jan 2013 © iViZ Security Inc 1
Understanding Business Logic Vulnerabilities Jan 2013 © iViZ Security Inc 2
Understanding Business Logic Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impact Jan 2013 © iViZ Security Inc 3
7 Deadly Sins! Jan 2013 © iViZ Security Inc 4
Increasing your Bank Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flow Jan 2013 © iViZ Security Inc 5
Buying online for free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferred Jan 2013 © iViZ Security Inc 6
Stealing one time passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser. Jan 2013 © iViZ Security Inc 7
Have unlimited discounts • Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cart Jan 2013 © iViZ Security Inc 8
Get 100% discount with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session ends Jan 2013 © iViZ Security Inc 9
Hijacking others account • Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over email Jan 2013 © iViZ Security Inc 10
DOS your competition • Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible) Jan 2013 © iViZ Security Inc 11
Detection and Prevention Jan 2013 © iViZ Security Inc 12
How to detect? • What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code review Jan 2013 © iViZ Security Inc 13
How to prevent? • Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes live Jan 2013 © iViZ Security Inc 14
Resources Jan 2013 © iViZ Security Inc 15
Top Free Online Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_Project Jan 2013 © iViZ Security Inc 16
After 7 Sins.. Now be prepared for Karma! Jan 2013 © iViZ Security Inc 17
How to be bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction” Jan 2013 © iViZ Security Inc 18
Stay safe ! Jan 2013 © iViZ Security Inc 19
Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Jan 2013 © iViZ Security Inc 20

Recomendados

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

Recomendados

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Vulnérabilité des sites web
Vulnérabilité des sites webVulnérabilité des sites web
Vulnérabilité des sites webSaid Sadik
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Abhinav Mishra
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attackmarada0033
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attackAbdelhakim Salama
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attackscommunication-eg
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Priyanka Aash
 

Mais conteúdo relacionado

Mais procurados

Vulnérabilité des sites web
Vulnérabilité des sites webVulnérabilité des sites web
Vulnérabilité des sites webSaid Sadik
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Abhinav Mishra
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attackmarada0033
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacksRamiro Cid
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

Mais procurados (20)

Vulnérabilité des sites web
Vulnérabilité des sites webVulnérabilité des sites web
Vulnérabilité des sites web
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Semelhante a Anatomy of business logic vulnerabilities

Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security managementDaveEdwards12
 
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Priyanka Aash
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013DaveEdwards12
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions failDaveEdwards12
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiCrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiIBM Sverige
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsDaveEdwards12
 
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScalePixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScaleAntónio Alegria
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from IndusfaceInfosys
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofitRoger Hagedorn
 

Semelhante a Anatomy of business logic vulnerabilities (20)

Using 80 20 rule in application security management
Using 80 20 rule in application security managementUsing 80 20 rule in application security management
Using 80 20 rule in application security management
 
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
 
Insecurity in security products 2013
Insecurity in security products 2013Insecurity in security products 2013
Insecurity in security products 2013
 
Why current security solutions fail
Why current security solutions failWhy current security solutions fail
Why current security solutions fail
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
 
Securing a Moving Target
Securing a Moving TargetSecuring a Moving Target
Securing a Moving Target
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiCrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
 
Toronto mule meetup #5
Toronto mule meetup #5Toronto mule meetup #5
Toronto mule meetup #5
 
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactionsMan in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
 
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScalePixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
 
Hybrid website security from Indusface
Hybrid website security from IndusfaceHybrid website security from Indusface
Hybrid website security from Indusface
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofit
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 

Mais de DaveEdwards12

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)DaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsDaveEdwards12
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security ProductsDaveEdwards12
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 

Mais de DaveEdwards12 (7)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systemsNew realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 

Último

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Último (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

Anatomy of business logic vulnerabilities

  • 1. Anatomy of Business Logic Vulnerabilities Bikash Barai, Co-Founder & CEO Jan 2013 © iViZ Security Inc 0
  • 2. About iViZ • iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a Service Jan 2013 © iViZ Security Inc 1
  • 3. Understanding Business Logic Vulnerabilities Jan 2013 © iViZ Security Inc 2
  • 4. Understanding Business Logic Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impact Jan 2013 © iViZ Security Inc 3
  • 5. 7 Deadly Sins! Jan 2013 © iViZ Security Inc 4
  • 6. Increasing your Bank Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flow Jan 2013 © iViZ Security Inc 5
  • 7. Buying online for free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferred Jan 2013 © iViZ Security Inc 6
  • 8. Stealing one time passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser. Jan 2013 © iViZ Security Inc 7
  • 9. Have unlimited discounts • Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cart Jan 2013 © iViZ Security Inc 8
  • 10. Get 100% discount with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session ends Jan 2013 © iViZ Security Inc 9
  • 11. Hijacking others account • Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over email Jan 2013 © iViZ Security Inc 10
  • 12. DOS your competition • Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible) Jan 2013 © iViZ Security Inc 11
  • 13. Detection and Prevention Jan 2013 © iViZ Security Inc 12
  • 14. How to detect? • What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code review Jan 2013 © iViZ Security Inc 13
  • 15. How to prevent? • Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes live Jan 2013 © iViZ Security Inc 14
  • 16. Resources Jan 2013 © iViZ Security Inc 15
  • 17. Top Free Online Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_Project Jan 2013 © iViZ Security Inc 16
  • 18. After 7 Sins.. Now be prepared for Karma! Jan 2013 © iViZ Security Inc 17
  • 19. How to be bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction” Jan 2013 © iViZ Security Inc 18
  • 20. Stay safe ! Jan 2013 © iViZ Security Inc 19
  • 21. Thank You bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Jan 2013 © iViZ Security Inc 20