• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Get control of your email attachments. Connect all your Gmail accounts and in less than 2 minutes, Dokkio will automatically organize your file attachments. You can also connect Dokkio to Drive, Dropbox, and Slack. Sign up for free.

View
 

Insufficient Process Validation

Page history last edited by Robert Auger 10 years, 6 months ago

Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-40

 

Insufficient Process Validation

Insufficient Process Validation occurs when a web application fails to prevent an attacker from circumventing the intended flow or business logic of the application. When seen in the real world, insufficient process validation has resulted in ineffective access controls and monetary loss.

There are two main types of processes that require validation: flow control and business logic.

 

"Flow control" refers to multi-step processes that require each step to be performed in a specific order by the user. When an attacker performs the step incorrectly or out of order, the access controls may be bypassed and an application integrity error may occur. Examples of multi-step processes include wire transfer, password recovery, purchase checkout, and account sign-up.

 

"Business logic" refers to the context in which a process will execute as governed by the business requirements. Exploiting a business logic weakness requires knowledge of the business; if no knowledge is needed to exploit it, then most likely it isn't a business logic flaw.[1] Due to this, typical security measures such as scans and code review will not find this class of weakness. One approach to testing is offered by OWASP in their Testing Guide.[2]

 

Flow Control Examples

  • Yahoo had a promotional offer where if you deposited USD $30 into an advertising account, Yahoo would then add an additional USD $50 to that account. The sign-up process was able to be circumvented in such a way that failing to deposit the requisite USD $30 still allowed the additional USD $50 to be credited to the account.[3]
  • Tower Records' form validation assumed that the user would fill out a form in the order presented, but in reality, some users filled out the bottom portion first, triggering a bug that wasn't caught during development and resulted in the loss of sales.[4]
  • YouTube restricts some videos to users that are 18-years-old and older on their site. However, if the same video is embedded in another site, then the process that filters the videos is bypassed, allowing anyone of any age to view the video.[5]
  • MySpace restricts access to private user photos, but when they launched a new service that allowed sharing of data with Yahoo, the process contained a flaw that allowed access to private user photos via Yahoo.[6]
  • AT&T offered free wi-fi service to iPhone users, but to distinguish the iPhone users from the rest, AT&T used the user-agent and an iPhone phone number to determine who received the free service. By changing the user-agent and providing a phone number to any iPhone account, users of other devices were able to obtain free wi-fi service.[7]

 

Business Logic Examples

  • E-trade and Schwab, in their sign-up process, failed to validate a limit of one bank account per any given user, allowing an attacker to assign the same bank account to tens of thousands of users, resulting in a loss of USD $50,000.00.[8]
  • QVC lost more than USD $412,000.00 when a woman discovered she could purchase items via the QVC website, immediate cancel her order, but still receive the items.[9]
  • An attacker posing as a legitimate eBay buyer was able to purchase a computer, remove expensive components from it, then return it as "destroyed" to the seller, successfully bypassing business policy controls for eBay, Paypal and UPS.[10]

 

Additional Examples

  • Please see the Web Hacking Incidents Database for additional, real-world examples.[11]

 

References

OWASP: Business logic vulnerability

[1] http://www.owasp.org/index.php/Business_logic_vulnerability

 

OWASP: Testing for business logic (OWASP-BL-001)

[2] http://www.owasp.org/index.php/Testing_for_business_logic

 

Yahoo SEM Logic Flaw

[3] http://ha.ckers.org/blog/20080616/yahoo-sem-logic-flaw/

 

Tower Records Tunes Its Site

[4] http://www.storefrontbacktalk.com/story/021005tower.php

 

Youtube’s 18+ Filters Don’t Work

[5] http://www.darkseoprogramming.com/2008/06/01/youtubes-18-filters-dont-work/

 

Paris and Lindsay Hacked Again (There’s a Lesson Here, Really)

[6] http://blogs.wsj.com/biztech/2008/06/03/paris-and-lindsay-hacked-again-theres-a-lesson-here-really/

 

Apple and AT&T providing free Wi-Fi access to iPhone users and oops… to everyone else as well!

[7] http://blogs.zdnet.com/security/?p=1067

 

Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'

[8] http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html

 

Woman admits to exploiting glitch on QVC site

[9] http://www.msnbc.msn.com/id/21534526/

 

New eBay Fraud

[10] http://www.schneier.com/blog/archives/2009/03/new_ebay_fraud.html

 

Web Hacking Incidents Database (WHID): Insufficient Process Validation

[11] http://whid.webappsec.org/whid-list/Insufficient+Process+Validation

Comments (0)

You don't have permission to comment on this page.