#learn365 Day-30: Common Business Logic Issues (Wrap)
(Cont'd...) 9. Parameter Tampering
- Tamper Payment or Critical Fields to manipulate their values
- Add multiple fields or unexpected fields by abusing HTTP Parameter Pollution & Mass Assignment #bugbountytips#appsec
(1/n)
(2/n)
- Response Manipulation to bypass certain restrictions such as 2FA Bypass
10. App Implementation Logic Abuse
- If an app accepts JSON data, try changing content type to XML and see if the XML data is being processed, it can be left vulnerable to XXE or XML-based attacks.
(3/n)
- If an application is using the DELETE method to delete a resource but there is no CSRF protection, try converting the method to GET/POST and add an additional parameter like ?method=delete
(4/n)
- In the above case if any user ID is going in the request, try bypassing method-based restrictions by adding parameters like X-Method-Override.
- If you see a UUID, try to replace with similar mapping such as 1,2,3.. often UUID mapping is accepted by the applications.
(5/n)
- Try the HEAD method to bypass the authentication restrictions.
11. Denial of Service Situations
- Resource Exhaustion
- Weak Account Lockout Mechanisms
- Kicking out a user/banning a user somehow from accessing the application.
(6/n)
- Application Level DoS by abusing the various functionalities present within the application.
In a nutshell, business logic absuse is a special class of vulnerabilities that I personally feel has no end.
(n/n)
Every application might have some different or special logics which are unique to them and it's always fun to abuse them and circumvent their original workflow.
If I will remember more techniques or interesting test cases, I will add them down to this thread itself.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
(2/n)
- Pay for a premium feature and cancel your subscription. If you get a refund but the feature is still usable, it's a monetary impact issue.
- Some applications use true-false request/response values to validate if a user is having access to premium features or not.
(3/n)
- Try using Burp's Match & Replace to see if you can replace these values whenever you browse the app & access the premium features.
- Always check cookies or local storage to see if any variable is checking if the user should have access to premium features or not.
I'll try to cover some of the interesting business logic flaws that I usually test and have encountered so far today & in the next couple of days. Feel free to add more if you know any. #bugbountytips#appsec#websecurity
(1/n)
(2/n)
1. Review Functionality
- Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product.
(3/n)
- Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve.
- Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions.
1. Weak Cryptography in Password Reset Tokens
- Always check randomness in password reset tokens. It is also a good idea to check password reset tokens against known schemes.
Ref: medium.com/bugbountywrite… #bugbountytips
(1/n)
(2/n) 2. Reusable Password Reset Tokens
- Use the token once and try to re-use it again.
- Request a new token and try if the old one is still active.
- Check how long a token stays alive. If it's >1 day and is reusable, you may report it.
(3/n) 3. IDOR (ATO)
- In the password reset link, assume there is something like this: harshbothra.tech/reset?token=so…
- try changing the value of the user parameter to the victim and see If the attack token can be used for resetting the victim's password. harshbothra.tech/reset?token=so…
Pentesting GraphQL may look hard if you are not familiar but there is still a lot to explore and exploit once you understand how it works. Today, It's all about continue reading and some good resources.
#learn365 Day-21: GraphQL Vulnerabilities (Part-2) 1. Information Disclosure via Error Messages
- Similar to the normal information disclosure via error triggering.
- Provide malformed or unexpected input within GraphQL queries.
(2/n)
- Sometimes you may observe verbose error messages revealing sensitive information.
2. GraphQL Denial of Service
- Due to an improper limit on the maximum query depth, it might be possible to perform a denial of service in graphql implementation.
(3/n)
- Nest a query to unlimited depth and send this query on a GraphQL endpoint to observe anything suspicious.
- A good example: owasp-skf.gitbook.io/asvs-write-ups…
#learn365 Day-20: GraphQL Series Part - 1
- GraphQL is a query language for the underlying API.
- A single endpoint can be used as a query API to perform all the actions including Create, Read, Update & Delete.
(2/n)
- GraphQL has its own type of system that’s used to define the schema of an API. The syntax for writing schemas is called Schema Definition Language (SDL).
# A GraphQL operation can be of type: 1. query (a read-only fetch) 2. mutation (a write followed by fetch)
(3/n) 3. subscription (a long‐lived request that fetches data in response to source events.)
- A GraphQL document can contain one or more of these operations (i.e multiple queries/mutations/subscriptions).
- Mutations queries modify data in the data store and returns a value.