A business logic vulnerability is a flaw in an application's design or implementation that will open a gateway for the attacker to manipulate legitimate functions for malicious purposes.

‍

This blog explains a high-severity business logic vulnerability found in a split payment and loan application. I will explain how a lack of backend checks allowed users to bypass disabled chat features in settled groups. Such issues arise just by changing the value, which might be strong, but by applying some manipulation or logic, the changes can take place easily. The developers might think will not take place, still vulnerable.

‍

Table of Contents

1. Introduction
2. The Security Vulnerability
3. Discovery
4. The Impact
5. Conclusion

‍

Introduction

While testing an iOS application built with Swift and using REST API, there was a feature designed in such a way that a user could create a split payment and invite other users in the same split group for chat and adding their expenditures/shares. I discovered a business logic vulnerability within the application where the vulnerability allows users to bypass disabled chat functionality after the settlement of split payment and send messages in a settled group. This blog will demonstrate the discovery, steps, impact, and how to secure against this type of issue.

‍

The Security Vulnerability:

The exact vulnerability lies in lack of proper management of UUID parameter checks after a group has been settled. While the UI disables the chat or add payment feature, the backend API still processes comment requests if specific UUID parameters are manipulated. This indicates missing authorization checks on the API endpoint `https://api.redacted..com/_ah/api/v1/comment_add` after the group status is marked as changed by the admin.

‍

Discovery:

• I visited the split payment feature option, added a random amount by inviting a user via contact number, and created a group.
• Added a random comment in the group and intercepted the traffic or request (e.g, `https://api.redacted..com/_ah/api/v1/comment_add`) in a proxy tool.

‍

• After everyone has paid their amount to the respective users, there is an option to mark the status as settled.
• Now, change the group status to "settled." The comment feature for this group will now be disabled in the UI.
• Open the previously captured request, but modify the following parameters:
  
  • `txn_uuid`: Change any value for the previously captured UUID.
  • `obj_uuid`: Similarly, change any value of this UDID.
  • Ensure both the new `txn_uuid` and `obj_uuid` are still associated with the same `group_uuid`.
  • `notes`: Update this parameter with a new message that will be sent in the group.
• The new message will be triggered on behalf of the user, even though the chat was disabled for the UI.
• Also, a user can manipulate the split amount of other users by changing this same parameter, which was not getting validated.

‍

The Impact: Unauthorized Access and Data Modification

This vulnerability can have several negative impacts:

• Any user which are not authorized can send messages in settled groups when they are not supposed to, leading to confusion or misuse from the business perspective and financial issues. 
• Randomly modified `txn_uuid` and `obj_uuid` values might lead to data inconsistencies or unexpected behavior of the functionality.
• If exploited further, the vulnerability could result in damaging the application's status and user trust.
  
  

Business logic flaws are just one piece of the puzzle. Read about other common pitfalls in 10 Cryptography Mistakes You're Probably Making.

‍

How to Secure:

To prevent this type of vulnerability, the following measures could be taken:

• Implement Authorization Checks: Make sure that all API endpoints have proper authorization checks. Verify user permissions and group status before processing any requests, especially those involving data, amount, or the user's personal information modification.
• Validate Input: Check the business logic flaws such that the feature implemented does not have any vulnerabilities. Always validate and sanitize user input to prevent unexpected things from being processed.
  
  
• Management: While testing, make sure that the UI and backend state are synchronized. If a feature is disabled in the UI, it should also be restricted at the API respectively.

‍

Key takeaways:

Business logic vulnerabilities can be a serious issue for which it should have significant security implications. By thoroughly testing and implementing proper authorization checks, developers can prevent such issues. This is crucial to ensure that all aspects and functionality of an application, including both the client side and backend, are consistently secured.

Explore hands-on labs and real-world scenarios in our Application Security courses on AppSecEngineer. Learn how to identify vulnerabilities that sneak past the UI and strike deep in the backend logic.