Hello everyone I would like to share one of my findings of business logic errors where I was able to abuse password functionality. I found this vulnerability on a private project I was working on.
It commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application’s functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
In this vulnerability I was able to change the minimum requirement required for the password which was 6 characters long. On the signup page I was asked to enter username, email and password where I entered a single letter Q as my password but it gave me an error saying ‘The Password field must be 6 characters in length.’ So I entered Qwerty@123 as my password and I was logged in.
Then I went to settings page where I was having an option of changing the password and again I entered a single letter Q as my password and this time my password was changed successfully without asking me to enter minimum character length of 6.
For double check I logged out of the account and logged in again with email and password as Q and it was successful.
How I found this vulnerability ?
- I went to the signup page and entered my details with single letter password Q, but it gave me an error
2. Then I entered Qwerty@123 as a password and the account was created successfully
3. Then I logged into the account and went to the settings page and updated my password with a single letter Q and it was successful
4. Then for double check I logged out of the application and logged in again with the single letter password Q and it was successful
Why this happened ?
It happened because while signing up for the account there was a password length validation check but on updating the password from the account there was not any validation check for password length.
The impact of business logic vulnerabilities can be trivial as well as significant. It completely depends on what kind of vulnerability it is.
Avoid making implicit assumptions about user behavior or the behavior of other parts of the application. It is also important to make sure that both developers and testers are able to fully understand these assumptions and how the application is supposed to react in different scenarios. This can help the team to spot logic flaws as early as possible.