4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
177<br />
Web Application Penetration Testing<br />
Example 1:<br />
Suppose an e-commerce site allows users to select items to purchase,<br />
view a summary page and then tender the sale. What if an<br />
attacker was able to go back to the summary page, maintaining<br />
their same valid session and inject a lower cost for an item and<br />
complete the transaction, and then check out?<br />
Example 2:<br />
Holding/locking resources and keeping others from purchases<br />
these items online may result in attackers purchasing items at a<br />
lower price. The countermeasure to this problem is to implement<br />
timeouts and mechanisms to ensure that only the correct price<br />
can be charged.<br />
Example 3:<br />
What if a user was able to start a transaction linked to their club/<br />
loyalty account and then after points have been added to their<br />
account cancel out of the transaction? Will the points/credits still<br />
be applied to their account?<br />
Business Logic Test Cases<br />
Every application has a different business process, application<br />
specific logic and can be manipulated in an infinite number of<br />
combinations. This section provides some common examples of<br />
business logic issues but in no way a complete list of all issues.<br />
Business Logic exploits can be broken into the following categories:<br />
4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)<br />
In business logic data validation testing, we verify that the application<br />
does not allow users to insert “unvalidated” data into<br />
the system/application. This is important because without this<br />
safeguard attackers may be able to insert “unvalidated” data/information<br />
into the application/system at “handoff points” where<br />
the application/system believes that the data/information is<br />
“good” and has been valid since the “entry points” performed<br />
data validation as part of the business logic workflow.<br />
4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)<br />
In forged and predictive parameter request testing, we verify<br />
that the application does not allow users to submit or alter data<br />
to any component of the system that they should not have access<br />
to, are accessing at that particular time or in that particular manner.<br />
This is important because without this safeguard attackers<br />
may be able to “fool/trick” the application into letting them into<br />
sections of thwe application of system that they should not be<br />
allowed in at that particular time, thus circumventing the applications<br />
business logic workflow.<br />
4.12.3 Test Integrity Checks (OTG-BUSLOGIC-003)<br />
In integrity check and tamper evidence testing, we verify that the<br />
application does not allow users to destroy the integrity of any<br />
part of the system or its data. This is important because without<br />
these safe guards attackers may break the business logic workflow<br />
and change of compromise the application/system data or<br />
cover up actions by altering information including log files.<br />
4.12.4 Test for Process Timing (OTG-BUSLOGIC-004)<br />
In process timing testing, we verify that the application does not<br />
allow users to manipulate a system or guess its behavior based<br />
on input or output timing. This is important because without this<br />
safeguard in place attackers may be able to monitor processing<br />
time and determine outputs based on timing, or circumvent the<br />
application’s business logic by not completing transactions or<br />
actions in a timely manner.<br />
4.12.5 Test Number of Times a Function Can be Used Limits<br />
(OTG-BUSLOGIC-005)<br />
In function limit testing, we verify that the application does not<br />
allow users to exercise portions of the application or its functions<br />
more times than required by the business logic workflow.<br />
This is important because without this safeguard in place attackers<br />
may be able to use a function or portion of the application<br />
more times than permissible per the business logic to gain additional<br />
benefits.<br />
4.12.6 Testing for the Circumvention of Work Flows (OTG-BUS-<br />
LOGIC-006)<br />
In circumventing workflow and bypassing correct sequence<br />
testing, we verify that the application does not allow users to<br />
perform actions outside of the “approved/required” business<br />
process flow. This is important because without this safeguard<br />
in place attackers may be able to bypass or circumvent workflows<br />
and “checks” allowing them to prematurely enter or skip<br />
“required” sections of the application potentially allowing the<br />
action/transaction to be completed without successfully completing<br />
the entire business process, leaving the system with incomplete<br />
backend tracking information.<br />
4.12.7 Test Defenses Against Application Mis-use (OTG-BUS-<br />
LOGIC-007)<br />
In application mis-use testing, we verify that the application<br />
does not allow users to manipulate the application in an unintended<br />
manner.<br />
4.12.8 Test Upload of Unexpected File Types (OTG-BUSLOG-<br />
IC-008)<br />
In unexpected file upload testing, we verify that the application<br />
does not allow users to upload file types that the system is not<br />
expecting or wanted per the business logic requirements. This is<br />
important because without these safeguards in place attackers<br />
may be able to submit unexpected files such as .exe or .php that<br />
could be saved to the system and then executed against the application<br />
or system.<br />
4.12.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)<br />
In malicious file upload testing, we verify that the application<br />
does not allow users to upload files to the system that are malicious<br />
or potentially malicious to the system security. This is<br />
important because without these safeguards in place attackers<br />
may be able to upload files to the system that may spread viruses,<br />
malware or even exploits such as shellcode when executed.<br />
Tools<br />
While there are tools for testing and verifying that business processes<br />
are functioning correctly in valid situations these tools<br />
are incapable of detecting logical vulnerabilities. For example,<br />
tools have no means of detecting if a user is able to circumvent<br />
the business process flow through editing parameters, predicting<br />
resource names or escalating privileges to access restricted<br />
resources nor do they have any mechanism to help the human