How do Attackers Exploit Business Logic Problems?
Unlike most exploits, we can’t point to specific strings of code that could cause this vulnerability. Instead, it comes down to users taking actions that have not been anticipated, and which programs don’t know how to handle. As an example, let’s say a banking application allows users to transfer money to other accounts. But instead of sending money, a malicious user tries to send a negative amount to another account. How will the banking application react? Will it crash? Will it deny the transfer? Or might it actually send money back to the user who initiated the transfer to balance that negative number?E-commerce sites are particularly, though not uniquely, susceptible to business logic flaws because they are designed to be interacted with by a lot of users, and have many components. Users cancelling orders unexpectedly, trying to apply single coupons multiple times or even overloading their shopping carts can present applications with conditions that have not been anticipated. There is really no way to know how a program will react when confronted with an unknown situation. The best case scenario might be generating an error message, but there is no guarantee that an app won’t take a worse action, such as providing merchandise for free.
Why are Business Logic Problems Dangerous?
Business logic problems can be extremely dangerous because they can be exploited by anyone, even someone with no programming or hacker training. It really only requires experimentation and time, clicking around and attempting to find flaws in the way an application is designed to respond. And once a malicious user discovers a flaw in the business logic of a site, you can bet they will exploit it as much as possible.
The biggest danger is normally financial, having a user purchase 20 big screen televisions without paying for them, or something like that. But business logic flaws can also cause other issues. For example, if the password function protecting a site does not know what to do if a user constantly hits cancel, it might let them bypass the login process all together.
There is really no way to anticipate how much damage a business logic problem could cause. Often the first indication of a problem comes long after users have exploited them.
