Business Logic Errors - A Logic Destruction

Summary :

Business logic errors will allow you to manipulate the business logic of an application. Sometimes business logic errors can have devastating effects on the applications. Business logic errors are difficult to find because they involve legitimate use of the application’s functionality. This kind of vulnerabilities are a way of using the legitimate processing flow of an application in a way that it results in a negative consequence to the organization.

Description :

I found this vulnerability in an invite feature on my private project. It was having only limited number of invitations (4 invitations) for non-premium users, means you can only invite 4 people. I sent one invite and then I was left with 3 invitations but after sending an invitation I noticed that there is an option to cancel (withdraw) your invite and when I used that cancel option, again I was having 4 invitations to send. While sending an invitation I captured the request using burpsuite and manipulated the email parameter value to an array and I checked the response and found both the emails were reflected in response. I checked both the emails and found that I got invitations on both the emails but when I checked on the web application it was counted as one invite which means I was still left with 3 invitations even after sending invitation to 2 users.

What is an array ?

In simple language, an array is a datatype that is used to store multiple values of same type together so that you do not need to specify different datatypes and variables for different values.

Similar to other programming languages, an array in JSON is a list of items surrounded in square brackets []. Each item in an array is separated by a comma and the array index begins with 0. JSON array can store multiple value types like string, number, boolean, object or other array inside JSON array.

For eg. {“email”:[“email1@gmail.com”,”email2@gmail.com”]} is considered as a whole array and changes will be applied to both at the same time.

How I found this vulnerability ?

  1. I used the invite team member functionality
Invite Team Member Functionality
Sending Invitation

2. After sending an invite, I captured the request using burp to check how this invitation functionality works and it was working normal

Captured Request
Normal Behavior

3. In the next step, I withdrew the invitation (laneko6393@astarmax.com) which I sent before, so now I have 4 invitations again

Invitation Withdrew (laneko6393@astarmax.com)

4. Then I sent an invitation again (laneko6393@astarmax.com) and captured the request and manipulated it with an array appending new email (winaxi9052@bombaya.com) and I received invitations on both the emails

Manipulated Request - Array
Manipulated Response - Array
Invitation Received
Invitation Received

5. In the next step, I withdrew the invitation again and this time I sent the invitation to 3 users at a time using an array and it went successful

Manipulated Request - Array (3 Invitations)
Manipulated Response - Array (3 Invitations)
Invitation Received
Invitation Received
Invitation Received

6. As a last step, I reloaded the page and checked that how many invitations were deducted from 4 invitations and I found that I was still left with 3 more invitations as all the three invitations that I sent were counted as 1 because of an array

3 Invitations Left

Why this happened ?

In my opinion,

It happened due to improper assignment of a datatype (array) to the email parameter, which led to abuse of invite user functionality.

Impact :

An attacker can abuse this functionality and send as many invitations as he/she wants without using the premium feature. This can lead to business loss to the company.

Mitigation :

A proper datatype should be assigned to the parameters and input validation should be done to avoid this kind of vulnerabilities.

--

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CBDC vs Cryptocurrency: the War of Privacy

OSINT Recon Great? — Unique Usernames Are Better Than Unique Passwords

{UPDATE} Bubble Shooter Lost Panda Hack Free Resources Generator

Protection from Container Malware with Anthos

Connext. From A to Z. (Part 4).

Ama crypto monsters with hodl token January 8 15pm utc

How To Fix Your Aggregator Website Using Residential Proxies

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

No Rate Limiting Vulnerability & Bypasses - Cyber Sapiens Internship Task-17

Parameter Pollution - Zero Day

A Study Notes of Exploit Spring Boot Actuator

Response Manipulation leads to Account Takeover