24. December 2021 13:29
While a lot of attention is paid to technical vulnerabilities such as SQL injection, CSRF, and cross site scripting, modern applications are equally susceptible to business logic flaws. As business logic flaws can defy easy categorization, discovering these flaws can be difficult. Business constraint bypass vulnerability is a unique case of business logic vulnerability.
In order to understand business constraint bypass vulnerability, let us take a simple example. Let us consider a website that provides information about top cyber security software. The users may be able to read top three results as a free version but they are required to either pay or subscribe to access complete information.
Business constraint bypass attack tries to circumvent the constraints set by the website to retrieve as much information as possible. Even if the attack is not able to access the information unlawfully, the attack might cause small application based Denial of Service (DoS) attack. In case the attacker is able to distribute the attack, it may result in a DDoS attack.
How Is Business Constraint Attack Launched?
Launching a business constraint attack is a stepwise process.
- Recon: The first step is to find a parameter that can be modified to return more data than allowed. For example, if a page shows 10 results and the only way to load more results is to go to ‘Next Page’ of the app or website; this can be used as a candidate for bypass constraint attack by cyber criminals. In modern applications, when a user requests data, an API request is called for n values of data (where n is allowed value of data that can be accessed in return of the request).
- Exploitation: Once target API call is identified, the motive is to attack the variable ‘n’. If the call is coded to return 10 results, it may look like /api/v1/get_books/10/site/all_books. The hackers execute this call in a new browser or by using cURL to check if it returns data. If yes, they modify the number (10 in this case) to their desired number to fetch more data or results.
How To Remediate Business Constraint Attack?
- An API call may be designed to be invisible to the user, but it is not invisible to everyone and can be manipulated. So, always check the data being requested by API.
- To make an API dynamic in nature, make sure to either limit it by user or use-case, including the session in request.
For more information on business constraint bypass vulnerability, contact Centex Technologies at (254) 213 – 4740.