4.13. Logic Vulnerability / Business Vulnerability

4.13.1. Introduction

Logic loopholes refer to loopholes caused by some logic branch processing errors due to lax program logic.

In actual development, due to different levels of developers and lack of security awareness, and the rapid development of the business, the internal testing has not been in place in a timely manner, so similar vulnerabilities often occur.

4.13.2. Installation Logic

  • See if you can bypass the judgment and reinstall

  • See if you can use the installation file to get information

  • See if you can use the update function to get information

4.13.3. Transactions

4.13.3.1. Purchase

  • Modify the price paid

  • Modify the status of a payment

  • Modify the purchase quantity to a negative number

  • Modified amount is negative

  • Replay a successful request

  • Improper handling of concurrent database locks

4.13.3.2. Business Risk Control

  • swipe coupon

  • cash out

4.13.4. Accounts

4.13.4.1. Registration

  • Override registration

  • Attempt to duplicate username

  • Register to traverse and guess the existing account

4.13.4.2. Password

  • Passwords are not saved using a hashing algorithm

  • The strength of the password set by the user is not verified

4.13.4.3. Email Username

  • space before and after

  • case conversion

4.13.4.5. Mobile phone username

  • space before and after

  • +86

4.13.4.6. Login

  • credential stuffing

    • Set up mechanisms such as remote login check

  • account hijacking

  • Malicious attempt to account password lock account

    • Need to set locking mechanism and unlocking mechanism

  • insecure transmission channel

  • Login credentials are stored in an insecure location

4.13.4.7. Retrieve password

  • Reset any user password

  • The new password is in the return package after password reset

  • Token verification logic is in the front end

  • Incorrect handling of X-Forwarded-Host

  • Password recovery function leaks user sensitive information

4.13.4.8. Change Password

  • Unauthorized change password

  • Change password without old password verification

4.13.4.9. Appeal

  • identity forgery

  • logical bypass

4.13.4.10. Update

  • Improper permission restrictions can be unauthorised inquiries

  • Improper permission restrictions can be modified without authority

4.13.4.11. Information query

  • Improper permission restrictions can be unauthorised inquiries

  • User information ID can be guessed leading to traversal

4.13.5. 2FA

  • Automatic login without 2FA after password reset

  • OAuth login without 2FA enabled

  • 2FA can be blasted

  • 2FA Conditional Competition

  • Modify the return value to bypass

  • Activation link does not enable 2FA

  • 2FA can be disabled via CSRF

4.13.6. Verification Code

  • Captcha is reusable

  • Captcha is predictable

  • The verification code is not strong enough

  • The verification code has no time limit or expires for a long time

  • There is no limit on the number of guesses for the verification code

  • The verification code passes special parameters or does not pass parameters to bypass

  • The verification code can be obtained directly from the return package

  • The verification code does not refresh or is invalid

  • The number of verification codes is limited

  • The verification code is returned in the packet

  • Modify Cookie Bypass

  • Modify return packet bypass

  • The verification code is generated or verified on the client side

  • Captcha can be identified by OCR or machine learning

  • Verification code is used for SMS/email bombing

4.13.7. Session

  • Session mechanism

  • Session guessing / blasting

  • Session forgery

  • Session leak

  • Session Fixation

4.13.8. Ultraviolet

  • unauthorized access

    • static files

    • prevent access by specific url

  • horizontal override

    • An attacker can access the resources of a user who has the same permissions as him

    • The permission type remains unchanged, but the ID changes.

  • vertical override

    • Low-level attackers can access resources of high-level users

    • The permission ID does not change, the type changes

  • cross override

    • Permission ID changed, type changed

4.13.9. Random Number Security

  • Using an insecure random number generator

  • Use easily guessable factors such as time as random number seeds

4.13.10. Others

  • IDs such as users/orders/coupons are generated regularly and can be enumerated

  • The interface has no permission, and the number of times is limited

  • Misuse of Encryption Algorithm Implementation

  • execution order

  • Sensitive information leakage