Enviar pesquisa
Carregar
Anatomy of business logic vulnerabilities
•
2 gostaram
•
2,025 visualizações
D
DaveEdwards12
Seguir
Tecnologia
Vista de apresentação de diapositivos
Denunciar
Compartilhar
Vista de apresentação de diapositivos
Denunciar
Compartilhar
1 de 21
Recomendados
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
Secure coding practices
Secure coding practices
Scott Hurrey
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
Recomendados
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
Secure coding practices
Secure coding practices
Scott Hurrey
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
Secure code practices
Secure code practices
Hina Rawal
Secure code
Secure code
ddeogun
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
OWASP Secure Coding
OWASP Secure Coding
bilcorry
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016
Anna Völkl
Web application security & Testing
Web application security & Testing
Deepu S Nath
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
OWASP Top Ten
OWASP Top Ten
Christian Heinrich
SQL injection
SQL injection
Raj Parmar
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
The OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
OWASP Top Ten API Project 2019
OWASP Top Ten API Project 2019
Fernando Galves
Intro to Web Application Security
Intro to Web Application Security
Rob Ragan
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
Using 80 20 rule in application security management
Using 80 20 rule in application security management
DaveEdwards12
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Priyanka Aash
Mais conteúdo relacionado
Mais procurados
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
Secure code practices
Secure code practices
Hina Rawal
Secure code
Secure code
ddeogun
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
Ajay Negi
OWASP Secure Coding
OWASP Secure Coding
bilcorry
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016
Anna Völkl
Web application security & Testing
Web application security & Testing
Deepu S Nath
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
OWASP Top Ten
OWASP Top Ten
Christian Heinrich
SQL injection
SQL injection
Raj Parmar
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
The OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
OWASP Top Ten API Project 2019
OWASP Top Ten API Project 2019
Fernando Galves
Intro to Web Application Security
Intro to Web Application Security
Rob Ragan
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
Mais procurados
(20)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Secure code practices
Secure code practices
Secure code
Secure code
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
OWASP Secure Coding
OWASP Secure Coding
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Secure input and output handling - Mage Titans Manchester 2016
Secure input and output handling - Mage Titans Manchester 2016
Web application security & Testing
Web application security & Testing
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
OWASP Top Ten
OWASP Top Ten
SQL injection
SQL injection
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
The OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
OWASP Top Ten API Project 2019
OWASP Top Ten API Project 2019
Intro to Web Application Security
Intro to Web Application Security
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Semelhante a Anatomy of business logic vulnerabilities
Using 80 20 rule in application security management
Using 80 20 rule in application security management
DaveEdwards12
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Priyanka Aash
Insecurity in security products 2013
Insecurity in security products 2013
DaveEdwards12
Why current security solutions fail
Why current security solutions fail
DaveEdwards12
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
TechWell
Securing a Moving Target
Securing a Moving Target
JAX Chamber IT Council
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
IBM Sverige
Toronto mule meetup #5
Toronto mule meetup #5
Alexandra N. Martinez
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
DaveEdwards12
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
António Alegria
Hybrid website security from Indusface
Hybrid website security from Indusface
Infosys
Fortify technology
Fortify technology
Imad Nom de famille
Application Security Done Right
Application Security Done Right
pvanwoud
Cultivating security in the small nonprofit
Cultivating security in the small nonprofit
Roger Hagedorn
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
Semelhante a Anatomy of business logic vulnerabilities
(20)
Using 80 20 rule in application security management
Using 80 20 rule in application security management
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Ciso-platform-annual-summit-2013_logical vulnerabilities_(nilanjan_iviz)
Insecurity in security products 2013
Insecurity in security products 2013
Why current security solutions fail
Why current security solutions fail
Reading the Security Tea Leaves
Reading the Security Tea Leaves
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web Apps
Securing a Moving Target
Securing a Moving Target
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
Toronto mule meetup #5
Toronto mule meetup #5
Man in the Browser attacks on online banking transactions
Man in the Browser attacks on online banking transactions
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
Hybrid website security from Indusface
Hybrid website security from Indusface
Fortify technology
Fortify technology
Application Security Done Right
Application Security Done Right
Cultivating security in the small nonprofit
Cultivating security in the small nonprofit
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
Mais de DaveEdwards12
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
DaveEdwards12
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
DaveEdwards12
Top Application Security Trends of 2012
Top Application Security Trends of 2012
DaveEdwards12
Vulnerability in Security Products
Vulnerability in Security Products
DaveEdwards12
Insecurity in security products v1.5
Insecurity in security products v1.5
DaveEdwards12
Mais de DaveEdwards12
(7)
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
A Journey to Protect Points of Sale (POS)
A Journey to Protect Points of Sale (POS)
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
New realities in aviation security remotely gaining control of aircraft systems
Top Application Security Trends of 2012
Top Application Security Trends of 2012
Vulnerability in Security Products
Vulnerability in Security Products
Insecurity in security products v1.5
Insecurity in security products v1.5
Último
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
Último
(20)
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Slack Application Development 101 Slides
Slack Application Development 101 Slides
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Anatomy of business logic vulnerabilities
1.
Anatomy of Business
Logic Vulnerabilities Bikash Barai, Co-Founder & CEO Jan 2013 © iViZ Security Inc 0
2.
About iViZ •
iViZ – Cloud based Application Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers • Gartner Hype Cycle- DAST and Application Security as a Service Jan 2013 © iViZ Security Inc 1
3.
Understanding Business Logic
Vulnerabilities Jan 2013 © iViZ Security Inc 2
4.
Understanding Business Logic
Vulnerability • Business Logic Vulnerabilities are security flaws due to wrong logic design and not due to wrong coding • # Business Logic Vuln/App: 2 to 3 for critical Apps • Only 5 to 10% of total vulnerabilities • Difficult to detect but has the highest impact Jan 2013 © iViZ Security Inc 3
5.
7 Deadly Sins! Jan
2013 © iViZ Security Inc 4
6.
Increasing your Bank
Balance • Impact – You can increase your bank balance just by transferring negative amount to somebody else • How does it work? – No server side validation of the amount field – Sometime client side validations are there which can be bypassed by manipulating “Data on Transit” (use Webscarab, Burp Suite, Paros etc) • How to fix? – Add server side validations in the work flow Jan 2013 © iViZ Security Inc 5
7.
Buying online for
free! • Impact – Buy air tickets (or anything that you like) at what ever price you want! • How does it work? – Application does not validate the amount paid to the payment gateway. Attacker can simply use the “Call back URL” to get the payment success and product delivery. • How to fix? – Create validation process between the application and payment gateway to know the exact amount transferred Jan 2013 © iViZ Security Inc 6
8.
Stealing one time
passwords • Impact – You can the steal the One Time Password of another user despite having access to their mobile, email etc • How does it work? – Application send the OTP to the browser for faster client side validation and better user experience • How to fix? – Conduct server side validation. Do not send OTP to browser. Jan 2013 © iViZ Security Inc 7
9.
Have unlimited discounts
• Impact – You can enjoy unlimited discount • How does it work? – You can add 10 products to the cart and avail the standard (e.g. 10%) discount – Remove 9 products from cart after that but the application still retains the discount amount • How to fix? – Re calculate discount if there is any change in the cart Jan 2013 © iViZ Security Inc 8
10.
Get 100% discount
with 10% discount Coupons • Impact – You can get 100% discount with a 20% discount coupon • How does it work? – Same coupon can be used multiple times during the same transaction • How to fix? – Expire the coupon after the first use and not after the session ends Jan 2013 © iViZ Security Inc 9
11.
Hijacking others account
• Impact – You can hijack anybody’s (use your imagination) account. • How does it work? – Weak password recovery process – Choose “Do not have access to registered email access” option – Brute force the answer to secret question. • How to fix? – Create stronger password recovery option – Recovery links only over email Jan 2013 © iViZ Security Inc 10
12.
DOS your competition
• Impact – You can stop others from buying products • How does it work? – You try to book a product and start the session but do not pay – Open millions of such threads and do not pay – Application does not have “expiry time” or other validation of IP etc • How to fix? – Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible) Jan 2013 © iViZ Security Inc 11
13.
Detection and Prevention Jan
2013 © iViZ Security Inc 12
14.
How to detect?
• What helps? – Threat Modeling and Attack surface Analysis – Break down the key processes into work-flows/flow chart to detect possible manipulations – Penetration Testing with Business Logic Testing by Experts – Design Review • What does not help? – Automated Testing with any tools (neither Static nor Dynamic) – Testing conducted by a team with less expertise – Standard Code review Jan 2013 © iViZ Security Inc 13
15.
How to prevent?
• Design the application/use case scenarios keeping Business Logic Vulnerability in mind • Conduct Security Design Reviews • Independent /Third Party Tests (within or outside the company) • Comprehensive Pen Test with Business Logic Testing before the Application goes live Jan 2013 © iViZ Security Inc 14
16.
Resources Jan 2013
© iViZ Security Inc 15
17.
Top Free Online
Resources • Checklist for Business Logic Vuln: http://www.ivizsecurity.com/50-common-logical-vulnerabilities.html • OWASP : https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP- BL-001) • Webscarab: https://www.owasp.org/index.php/OWASP_WebScarab_Project Jan 2013 © iViZ Security Inc 16
18.
After 7 Sins..
Now be prepared for Karma! Jan 2013 © iViZ Security Inc 17
19.
How to be
bankrupt in a day? • Denial of Dollar Attack! • “Piratebay” founder proposed launching this attack on the law firm which fought against him • Example working model: – Send 1 cent online transaction to the law firm account. Bank deducts 1 Dollar as transaction fee. – Send millions of “1 Cent transaction” Jan 2013 © iViZ Security Inc 18
20.
Stay safe ! Jan
2013 © iViZ Security Inc 19
21.
Thank You
bikash@ivizsecurity.com Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1 Jan 2013 © iViZ Security Inc 20