Road To Bounty: #3 August 2024 - Business logic
Introduction
I was at 21% completions of the portswigger course, last month I worked on some vulnerabilities I did not practiced before and that’s what I liked, so this month I will continue on this path.
Week 1
I decided to start the “Business logic vulnerabilities”, I think that’s something I might be familiar with since I’m a full-stack developer, but I’ve nerver really worked on it from an attacker perspective. Usually when I’m thinking about buisness logic it’s because I’m working on a project that I know well, so I am instinctively thinking about what could go wrong, so I thing the main challenge will be to think about what could go wrong on a project I don’t know.
As usual, I started by reading the documentation and did the labs along the way.
I spent around 6 hours on it, and I will continue next week.
Week 2
I continued the “Business logic vulnerabilities” module.
I spent around 1h30 on it, and I will continue next week.
Week 3
I took some time off this week, so I didn’t work on the course.
Week 4
I got back on the “Business logic vulnerabilities” module. I started by doing the “Insufficient workflow validation” lab wich was pretty obvious. I then started the “Authentication bypass via flawed state machine” lab. This one was a bit more challenging.
I spent around 1 hour on the course this week.
Week 5
I started by the “Flawed enforcement of business rules” lab, it took me around 1 hour to complete it. At first I did not see the second coupon, but then with a couple tries I found the soulution.
After that I did the “Infinite money logic flaw”, this one was easy. My method was not that fast, so it took me more time to complete it that to find the flaw. I used the “Burp Intruder” tool to automate the part of the process where I needed to redeem a lot of gift cards.
Conclusion
I really liked this month, because the Business logic vuln require to assume what the application is doing, and think about what could append if you do something that was not intended. Then you can imagine a scenario to exploid it. This is something that is close to what I do at work when I create a new feature, except since I’m the one who created the feature, I don’t have to assume how it works.