Threat Management, Incident Response, TDR, Vulnerability Management

Business logic flaws endanger websites

Never mind scanning your website for vulnerabilities in code to prevent attacks.

That may not be enough to protect from another high-risk business impediment: logic flaws. And the potential cost to victim sites could be in the millions.

Two researchers from WhiteHat Security, an application security firm, explained at the Black Hat conference in Las Vegas that business logic flaws often are overlooked by quality assurance teams. Meanwhile, their presence is only expected to grow in coming years.

“Their job is to test what software is supposed to do, not what it is made to do,” said Jeremiah Grossman, founder and chief technology officer of WhiteHat.

The vulnerabilities range in complexity and commonly involve mistakes such as insufficient authorization or predictable resource location.

“They appear completely real,” Grossman said. “There's nothing hacker-ish to them. But people love them [to make money].”

Grossman and Trey Ford, director of solutions architecture at WhiteHat, provided an entertaining look at some of the exploit possibilities, ranging from the somewhat technical to relatively unchallenging.

They included:

  • Reserving a seat while booking a flight online but not paying for the ticket. The seat will remain reserved for a certain period of time so you can grab it when you are ready to pay.
  • Developing a simple script that allows you use thousands of e-coupons or using a similar script to open thousands of brokerage accounts that can each receive small deposits from a bank – usually around five cents – to verify transactions. In the end, you could end up making tens of thousands.
  • Stuffing cookies into other websites to receive payments by advertising affiliates.
  • Guessing the URLs of press releases announcing the earnings of a particular public company, prior to their official release.

“The more technical, the more complex, the more overhead – the more chance of getting caught,” Ford said. “There are some very profitable ways to do these attacks without any of that.”

Among the easiest-to-execute scams took advantage of a business logic flaw on the QVC.com website. A Georgia woman figured out that if she placed an order and canceled it by a certain time, the items would still be shipped to her but she wouldn't have to pay.

To monetize the scheme, she sold the items on eBay, turning more than a $400,000 profit. Authorities eventually caught on because she got lazy and shipped the items still in their QVC packaging – so customers contacted the television shopping network if they had a problem.

She was found guilty of wire fraud last October.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.