Enviar pesquisa
Carregar
Anatomy of business logic vulnerabilities
•
2 gostaram
•
2,025 visualizações
D
DaveEdwards12
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 21
Recomendados
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
security misconfigurations
security misconfigurations
Megha Sahu
A Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
Understanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
Xss attack
Xss attack
Manjushree Mashal
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Recomendados
Penetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
security misconfigurations
security misconfigurations
Megha Sahu
A Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
Sina Manavi
Understanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
Xss attack
Xss attack
Manjushree Mashal
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Vulnérabilité des sites web
Vulnérabilité des sites web
Said Sadik
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
CSRF Basics
CSRF Basics
n|u - The Open Security Community
Web application vulnerabilities
Web application vulnerabilities
ebusinessmantra
Basics of Server Side Template Injection
Basics of Server Side Template Injection
Vandana Verma
Social engineering attacks
Social engineering attacks
Ramiro Cid
Web Application Security
Web Application Security
Abdul Wahid
WannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
DDOS Attack
DDOS Attack
Ahmed Salama
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
Web application security & Testing
Web application security & Testing
Deepu S Nath
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
BGA Cyber Security
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
Ddos attacks
Ddos attacks
communication-eg
Cross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
Using 80 20 rule in application security management
Using 80 20 rule in application security management
DaveEdwards12
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Priyanka Aash
Mais conteúdo relacionado
Mais procurados
Vulnérabilité des sites web
Vulnérabilité des sites web
Said Sadik
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
marada0033
CSRF Basics
CSRF Basics
n|u - The Open Security Community
Web application vulnerabilities
Web application vulnerabilities
ebusinessmantra
Basics of Server Side Template Injection
Basics of Server Side Template Injection
Vandana Verma
Social engineering attacks
Social engineering attacks
Ramiro Cid
Web Application Security
Web Application Security
Abdul Wahid
WannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
DDOS Attack
DDOS Attack
Ahmed Salama
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
Web application security & Testing
Web application security & Testing
Deepu S Nath
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
BGA Cyber Security
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
Ddos attacks
Ddos attacks
communication-eg
Cross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
Mais procurados
(20)
Vulnérabilité des sites web
Vulnérabilité des sites web
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
CSRF Basics
CSRF Basics
Web application vulnerabilities
Web application vulnerabilities
Basics of Server Side Template Injection
Basics of Server Side Template Injection
Social engineering attacks
Social engineering attacks
Web Application Security
Web Application Security
WannaCry ransomware attack
WannaCry ransomware attack
DDOS Attack
DDOS Attack
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Web Application Penetration Testing
Web Application Penetration Testing
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Web application security & Testing
Web application security & Testing
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Ddos attacks
Ddos attacks
Cross site scripting attacks and defenses
Cross site scripting attacks and defenses
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Semelhante a Anatomy of business logic vulnerabilities
Using 80 20 rule in application security management
Using 80 20 rule in application security management
DaveEdwards12
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Priyanka Aash
Insecurity in security products 2013
Insecurity in security products 2013
DaveEdwards12
Why current security solutions fail
Why current security solutions fail
DaveEdwards12
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
Securing a Moving Target
Securing a Moving Target
JAX Chamber IT Council
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
IBM Sverige
Toronto mule meetup #5
Toronto mule meetup #5
Alexandra N. Martinez
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
DaveEdwards12
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
António Alegria
Hybrid website security from Indusface
Hybrid website security from Indusface
Infosys
Fortify technology
Fortify technology
Imad Nom de famille
Application Security Done Right
Application Security Done Right
pvanwoud
Cultivating security in the small nonprofit
Cultivating security in the small nonprofit
Roger Hagedorn
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
Semelhante a Anatomy of business logic vulnerabilities
(20)
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Insecurity in security products 2013
Insecurity in security products 2013
Why current security solutions fail
Why current security solutions fail
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
Securing a Moving Target
Securing a Moving Target
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
Toronto mule meetup #5
Toronto mule meetup #5
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
Hybrid website security from Indusface
Hybrid website security from Indusface
Fortify technology
Fortify technology
Application Security Done Right
Application Security Done Right
Cultivating security in the small nonprofit
Cultivating security in the small nonprofit
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
Mais de DaveEdwards12
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
DaveEdwards12
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
Top Application Security Trends of 2012
Top Application Security Trends of 2012
DaveEdwards12
Vulnerability in Security Products
Vulnerability in Security Products
DaveEdwards12
Insecurity in security products v1.5
Insecurity in security products v1.5
DaveEdwards12
Mais de DaveEdwards12
(7)
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
Top Application Security Trends of 2012
Top Application Security Trends of 2012
Vulnerability in Security Products
Vulnerability in Security Products
Insecurity in security products v1.5
Insecurity in security products v1.5
Último
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Sri Ambati
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
DianaGray10
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Precisely
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
RankYa
Último
(20)
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
Anatomy of business logic vulnerabilities
1.
Anatomy of Business
Logic Vulnerabilities Bikash Barai, Co-Founder & CEO Jan 2013 © iViZ Security Inc 0
2.
About iViZ •
iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a Service Jan 2013 © iViZ Security Inc 1
3.
Understanding Business Logic
Vulnerabilities Jan 2013 © iViZ Security Inc 2
4.
Understanding Business Logic
Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impact Jan 2013 © iViZ Security Inc 3
5.
7 Deadly Sins! Jan
2013 © iViZ Security Inc 4
6.
Increasing your Bank
Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flow Jan 2013 © iViZ Security Inc 5
7.
Buying online for
free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferred Jan 2013 © iViZ Security Inc 6
8.
Stealing one time
passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser. Jan 2013 © iViZ Security Inc 7
9.
Have unlimited discounts
• Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cart Jan 2013 © iViZ Security Inc 8
10.
Get 100% discount
with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session ends Jan 2013 © iViZ Security Inc 9
11.
Hijacking others account
• Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over email Jan 2013 © iViZ Security Inc 10
12.
DOS your competition
• Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible) Jan 2013 © iViZ Security Inc 11
13.
Detection and Prevention Jan
2013 © iViZ Security Inc 12
14.
How to detect?
• What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code review Jan 2013 © iViZ Security Inc 13
15.
How to prevent?
• Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes live Jan 2013 © iViZ Security Inc 14
16.
Resources Jan 2013
© iViZ Security Inc 15
17.
Top Free Online
Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_Project Jan 2013 © iViZ Security Inc 16
18.
After 7 Sins..
Now be prepared for Karma! Jan 2013 © iViZ Security Inc 17
19.
How to be
bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction” Jan 2013 © iViZ Security Inc 18
20.
Stay safe ! Jan
2013 © iViZ Security Inc 19
21.
Thank You
bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Jan 2013 © iViZ Security Inc 20