Business Logic Errors - A New Look

New Look

Summary :

It commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application’s functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

I found this wonderful vulnerability on one of the private program. I was able to delete anyone’s comment by just using the report feature.

This vulnerability is not limited only to comment section you can also report someone’s post, profile photo, blog, message, video etc. You’ll not always find the report feature but instead some companies also use the flag feature, you can also try their.

Flag feature

How to find this vulnerability ?

  1. Go to your target website that has comment feature
Comments

2. Here you’ll find many people have commented, in my case it was “fedoraismine” was the victim. (My another test account)

3. Use the report comment feature, click on report and select any option

Options

4. Now click on continue and intercept the request using burp suite and send it to intruder

Burp Suite - Intruder

5. Now click on clear and go to payloads section in burp suite and select Null payloads

Payload Section

6. Now select the option Continue indefinitely

Continue indefinitely

7. Now go to options and set the Number of threads to 100

Threads

8. Now click on start attack

Attacking

9. Wait for 900 payloads to be executed

900 Payloads

10. Reload the comment page

Comment Deleted

NOTE : If the comment is not deleted wait for some more payloads to get executed and then reload the page again

Thank You :)

Instagram : jerry._.3

Happy Hacking ;)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store