🚩
Cyber Explained
  • WHOAMI
  • Technologies
    • Docker
      • Setup Docker
      • Terminology
      • Docker Hub
      • Docker Images
      • Docker Containers
      • Working with Containers
      • Virtualization vs Containerization
      • Nutshell
      • Troubleshoot
    • Android Application
      • Application File Structure
      • Layout and Resources for UI
      • Activities
      • Intents
      • Activity lifecycle and state
      • Implicit intents
    • Active Directory
      • Attacking Active Directory: 0 to 0.9
      • Resources
    • Kerberos
  • RED TEAMING
    • Attacking Kerberos
      • User Enum and Brute Force
      • AS-REP Roasting
      • Kerberoasting
    • MITRE ATT&CK
    • Resources
  • PenTesting
    • Android Pentesting
      • Re-Build App
      • Using Frida on Android without root
    • Web Pentesting
      • XSS
      • SQLi
      • Authentication Vulnerabilities
      • Session Security
      • CSRF
      • Path Traversal
      • File Inclusion
      • Business Logic Vulnerabilities
      • HTTP Host header attacks
      • SSRF
      • HTTP Request Smuggling
      • OS command injection
      • Access control vulnerabilities
    • OWASP Testing Guide
      • 1.0 Information Gathering
      • 2.0 Configuration and Deployment Management Testing
      • 3.0 Identity Management Testing
      • 4.0 Authentication Testing
      • 5.0 Authorization Testing
      • 6.0 Session Management Testing
      • 7.0 Input Validation Testing
      • 8.0 Testing for Error Handling
      • 9.0 Testing for Weak Cryptography
      • 10.0 Business Logic Testing
      • 11.0 Client-side Testing
      • 12.0 API Testing
  • Programming
    • Python
      • Hello World !
        • Variables and Data Types
        • Lists, Tuple, Sets and Dictionaries
        • If Statement
        • While Loops
        • For Loops
        • Functions
        • Classes and Objects
        • Creating Modules
        • Creating Packages
        • Exception Handling
      • System Pogramming
        • File Handling
        • OS Interaction with OS Library
        • Multithreading
        • Signals
        • Subprocess
        • Code Examples
      • Network Programming
        • Socket Programming
        • Packet Injection with Raw Sockets
        • SocketServer Framework
        • Packet Sniffing with Scapy
        • Creating a Web Server
        • Packet Injection with Scapy
        • Packet Sniffing with Raw Sockets
        • Programming with Scapy
  • Operating Systems
    • Windows*
    • Linux
      • System Structure
      • VI Text Editor
      • Working with the Linux Shell
      • Managing Users and Groups
      • Managing Files and Directories
  • Networks
    • Page 1
Powered by GitBook
On this page
  1. PenTesting
  2. Web Pentesting

Business Logic Vulnerabilities

  • Excessive trust in client-side controls

    in this case developer assume that user will interact with app via web interface only hence he validates inputs in client side only .

    Contexts example :

    • baskets in online markets

    • 2FA "two factor authentication"

  • Failing to handle unconventional input

    Contexts example :

    • negative input on shop card

    • null attack to break items limit

    • truncate input to fit variable "over load input"

  • Making flawed assumptions about user behavior

    Contexts example :

    • update normal email to corporate domain with out validation

  • Users won't always supply mandatory input

    Contexts example :

    • delete current password field when reset password

  • Users won't always follow the intended sequence

    • /cart/order-confirmation?order-confirmation=true if we add items after this transaction and resend it may be accepted

    • drop user-role request and developer set it admin by default

  • Domain-specific flaws

    • use coupons more than one time by alter between two coupons

    • buy an infinite gift cards repeat process using burp macros

PreviousFile InclusionNextHTTP Host header attacks

Last updated 3 years ago