Business Logic Errors - Must Vote
Business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence.
I found this vulnerability on a private program of Bugcrowd where there was a comment section. I noticed that whenever any person makes a comment he/she gets an option to vote but only one time, either negative or positive. After reviewing the request using burp I found a vote parameter which was having a voting value and the same value was reflected in response. I changed the value of vote parameter from 1 to 1000 and it also got changed in the response. For double verification I reloaded the page and the value was still 1000. I reported the vulnerability but unfortunately it was a duplicate.
How I found this vulnerability ?
- I made a normal comment and found that it had a voting option
2. Then I normally voted up and it was working perfectly
3. Then I voted down to check whether it is working or not and it was working perfectly
4. In the next step, I voted up and intercepted the request using burp and changed the value of vote parameter from 1 to 1000 and also used the option Do intercept > Response to this request to check the server response
5. For double check I reloaded the page and still the votes were 1000
6. In the next step, I voted down and intercepted the request using burp and changed the value of vote parameter to -1000 and also used the option Do intercept > Response to this request to check the server response
7. For double check I reloaded the page again and still the votes were -1000
Why it happened ?
In my opinion,
The the validation check for voting was only done on the client side and not at the server side, so it was easy to manipulate the request by sending 1000 votes by a single user instead of only 1 vote.
All the users can vote multiple times, abusing the voting system which will affect the voting results.
Every user input should be validated on client side as well as server side to mitigate this type of issues.