Welcome back to the biweekly Methodology Walkthrough. Today, we’ll be exploring a business logic vulnerability to exploit a application functionality.
Objective
Buy a Leather Jacket from the shop.
What is a Business Logic Vulnerability?
A business logic vulnerability is a flaw in the design or implementation of an application that allows attackers to manipulate the intended flow of different processes. These vulnerabilities exploit the logical processes of the application, leading to unauthorized actions or access, often bypassing security controls.
Methodology
The Recon
As soon as we open the app, we can see that there is a functional shopping app in front of us for once.
We have the ability to add items to a cart, view the cart, and place an order.
We also have access with our default credentials to access an account. Inside we can see that we have a balance of $100 and the ability to change the email of the account.
Our target item is the Lightweight “l33t” Leather Jacket, which appears to be outside of our price range with a price of $1337.00.
So, it looks like our goal here will be to trick the application into thinking we’re buying something else, but we’re actually buying the jacket.
Let’s take a look through the SiteMap for anything suspicious:
It’s already lighting up like a Christmas tree!
But, we already know this is a business logic vuln - meaning we won’t necessarily have to use our technical abilities here, but rather our minds to decipher how the application flow is funcitoning.
But, as we always do anyways, let’s kick off active scan on interesting endpoints, such as the cart and items, just inc ase it finds something that we missed while we move on to manual testing.
Testing
In ordr to fully understand the application, we should first purchase an item in our price range so we can see the workflow from end to end.
After adding to the cart, let’s click Place Order to see if anyting interesting happens.
Nothing that stands out right away in the UI.
But we shouldn’t have been expecting anything out of the ordinary anyways.
Let’s go to the important part - the Proxy HTTP History and check each step in the workflow.
A request stands out to me immediately:
The order confirmation.
It looks like when set to be true, it verifies the order is confirmed for what is in the cart…
I have an idea!
Exploitation
After purchasing our last item, we now only have $72.11 in store credit - much below the $1337 needed to purchase the Leather Jacket.
But, I think we can trick the store logic.
Let’s add the Leather Jacket back to the cart.
We can place the order again and see that we’re denied - Not enough store credits.
Well, what if we utilize the order confirmation request from before?
We can send it over to the Repeater and replay it.
If all goes right, this should confirm the items in our cart…
It looks like the application doesn’t sufficiently verify the Place Order workflow. Bingo, lab sovled!
What We’ve Learned
Business Logic vulns are not only fun, but more accessible to hunt for because it doesn’t mean you need to be extremely technical. Instead, you have to be creative and gain a deeper understanding of the application in front of you. When hunting, remember to work with what you have, explore different angles, and try to understand how the system is working.
Want to give the lab a try yourself? You can check it out on PortSwigger’s website here.
Securely Yours,
The Cybersec Cafe
Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.
Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.
. . .
Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!