Presentation is loading. Please wait.

Presentation is loading. Please wait.

Logical vulnerabilities

Published byLindsay Bradley Modified over 6 years ago

Similar presentations

Presentation on theme: "Logical vulnerabilities"— Presentation transcript:

1 Logical vulnerabilities
Web Village Beched

2 Wide range of vulnerability types Vague definition
Logic vulns? Wide range of vulnerability types Vague definition How do they differ from other bugs?

3 Most of vulnerabilities are injections
Injections change the way how some executable text is parsed Thus, they break an intended syntax tree of the program

4 Abstract Syntax Tree

5 Logical vulnerabilities
Logical vulns do something unexpected It can be breaking authorization, transaction integrity, process sequence Thus, they usually do not create new execution paths Instead, they exploit existence of unintended paths in CFG

6 Control Flow Guard

7 Input validation

8 Input validation is useful not only against injections
Type juggling is painful There lots of ways you can exploit coding mistake without injection new code Reason: application expects input of type A with certain contraints but doesn’t validate that

9 Examples

10 Input validation

11 Input validation

12 String to integer conversion may lead to unexpected assertions
Input validation String to integer conversion may lead to unexpected assertions For example, in MySQL 0 = “asd” is true Real example from one rich hotel  Also remember about SQL column truncation

13 Input validation

14 Input validation

15 PHP Warning: strcmp() expects parameter 2 to be string, array given
Input validation PHP Warning: strcmp() expects parameter 2 to be string, array given strcmp(‘asd’, []) returns NULL NULL == 0 is true Real example from CSAW CTF scoreboard lol 

16 Input validation

17 Input validation

18 Classic! Such bugs still can be found in internet banking systems
Input validation round(0.005,2) = 0.01 Classic! Such bugs still can be found in internet banking systems Real example from a big bank 

19 Input validation

20 Input validation

21 Stupid and obvious negative sum transaction
Input validation Stupid and obvious negative sum transaction Still can be found in online gaming and other products with custom financial logic Real example from some Chinese game 

22 Input validation

23 Merchant’s callback may ignore LMI_PAYMENT_AMOUNT value
Input validation Merchant’s callback may ignore LMI_PAYMENT_AMOUNT value We can buy anything for 0.01 WMR Real old bug from many shops 

24 Input validation

25 Input validation

26 Real bug from some payment API 
Input validation How to check for such bug: Real bug from some payment API 

27 Authorization

28 Often controls are applied only on client side
Authorization Authorization controls often consider only intended ways of interaction Often controls are applied only on client side Also there may be no controls, and objects may have predictable identifiers Logical vulnerabilities can abuse different aspects of authorization and ACL Very typical for mobile interfaces

29 Examples

30 Remember payment gateway?
Authorization Remember payment gateway? You can search callback location and test it directly Does it allow requests from any IP address? Does it properly check for signature?

31 Authorization

32 This is Insecure Direct Object Reference Ubiquitous vulnerability
Authorization This is Insecure Direct Object Reference Ubiquitous vulnerability Parameter fileId is predictable (incrementing integer) We can view documents of other users Real bug from tender platform 

33 Authorization

34 Administrative interface accessible for everybody
Authorization Administrative interface accessible for everybody PHP’s header function does not terminate execution It only redirects the browser Real bug from a lot of shitty sites 

35 Authorization

36 Mobile interface lacks 2FA
Authorization Mobile interface lacks 2FA But the sessions are shared with main website Thus we can bypass 2FA if we send appropriate header mimicking mobile app Real bug from internet banking system 

37 Time Magic

38 Time Magic A lot of logical vulnerabilities exist due to incorrect management of time Those include: Timing information leakage Request reissue, token reuse Race conditions . . .

39 Examples

40 Time Magic

41 What if SQL servers get too busy during user_exists() execution?
Time Magic What if SQL servers get too busy during user_exists() execution? Real bug from CMS  Hint: you can find some kind of 0-days with example

42 Time Magic

43 You should use cryptographically secure bitwise comparison
Time Magic Standard implementation of strcmp function in Libc is vulnerable to timing attacks You should use cryptographically secure bitwise comparison Such attacks are not very easy to carry out remotely

44 Time Magic Sequence breaking – omit or shuffle the steps of some process to get unexpected results For instance, skip user activation after registration and access site immediately Or skip token check for password restore and jump directly to password change 

45 Time Magic

46 Typical race condition vulnerability
Time Magic Typical race condition vulnerability Send several requests at once and drain the balance below 0 One should use SQL transactions to fix this Real bug from different payment systems 

47 Request Forgery

48 A lot of logical attacks can be classified as request forgery
This is general name for attacks which send unexpected input to an application Many examples from this talk are input forgery attacks

49 Cross-Site Request Forgery Logical vulnerability? Yes, in some way
Requires user interaction Anyway, often quite underestimated You can do a lot!

50

Download ppt "Logical vulnerabilities"

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.
‘Tirgul’ # 7 Enterprise Development Using Visual Basic 6.0 Autumn 2002 Tirgul #7.

‘Tirgul’ # 7 Enterprise Development Using Visual Basic 6.0 Autumn 2002 Tirgul #7.
Case Study: Interspire and PayPal Express. Case: Interspire and PayPal Express Interspire is an eCommerce merchant software Can be integrated with PayPal.

Case Study: Interspire and PayPal Express. Case: Interspire and PayPal Express Interspire is an eCommerce merchant software Can be integrated with PayPal.
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Web Applications Testing By Jamie Rougvie Supported by.

Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.

Building Secure Web Applications With ASP.Net MVC.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.

CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.

Similar presentations

Ads by Google