172 lines
9.6 KiB
Django/Jinja
172 lines
9.6 KiB
Django/Jinja
<business_logic_flaws_guide>
|
||
<title>BUSINESS LOGIC FLAWS</title>
|
||
|
||
<critical>Business logic flaws exploit intended functionality to violate domain invariants: move money without paying, exceed limits, retain privileges, or bypass reviews. They require a model of the business, not just payloads.</critical>
|
||
|
||
<scope>
|
||
- Financial logic: pricing, discounts, payments, refunds, credits, chargebacks
|
||
- Account lifecycle: signup, upgrade/downgrade, trial, suspension, deletion
|
||
- Authorization-by-logic: feature gates, role transitions, approval workflows
|
||
- Quotas/limits: rate/usage limits, inventory, entitlements, seat licensing
|
||
- Multi-tenant isolation: cross-organization data or action bleed
|
||
- Event-driven flows: jobs, webhooks, sagas, compensations, idempotency
|
||
</scope>
|
||
|
||
<methodology>
|
||
1. Enumerate a state machine per critical workflow (states, transitions, pre/post-conditions). Note invariants (e.g., "refund ≤ captured amount").
|
||
2. Build an Actor × Action × Resource matrix with at least: unauth, basic user, premium, staff/admin; identify actions per role.
|
||
3. For each transition, test step skipping, repetition, reordering, and late mutation (modify inputs after validation but before commit).
|
||
4. Introduce time, concurrency, and channel variance: repeat with parallel requests, different content-types, mobile/web/API/GraphQL.
|
||
5. Validate persistence boundaries: verify that all services, queues, and jobs re-enforce invariants (no trust in upstream validation).
|
||
</methodology>
|
||
|
||
<discovery_techniques>
|
||
<workflow_mapping>
|
||
- Derive endpoints from the UI and proxy/network logs; map hidden/undocumented API calls, especially finalize/confirm endpoints
|
||
- Identify tokens/flags: stepToken, paymentIntentId, orderStatus, reviewState, approvalId; test reuse across users/sessions
|
||
- Document invariants: conservation of value (ledger balance), uniqueness (idempotency), monotonicity (non-decreasing counters), exclusivity (one active subscription)
|
||
</workflow_mapping>
|
||
|
||
<input_surface>
|
||
- Hidden fields and client-computed totals; server must recompute on trusted sources
|
||
- Alternate encodings and shapes: arrays instead of scalars, objects with unexpected keys, null/empty/0/negative, scientific notation
|
||
- Business selectors: currency, locale, timezone, tax region; vary to trigger rounding and ruleset changes
|
||
</input_surface>
|
||
|
||
<state_time_axes>
|
||
- Replays: resubmit stale finalize/confirm requests
|
||
- Out-of-order: call finalize before verify; refund before capture; cancel after ship
|
||
- Time windows: end-of-day/month cutovers, daylight saving, grace periods, trial expiry edges
|
||
</state_time_axes>
|
||
</discovery_techniques>
|
||
|
||
<high_value_targets>
|
||
- Pricing/cart: price locks, quote to order, tax/shipping computation
|
||
- Discount engines: stacking, mutual exclusivity, scope (cart vs item), once-per-user enforcement
|
||
- Payments: auth/capture/void/refund sequences, partials, split tenders, chargebacks, idempotency keys
|
||
- Credits/gift cards/vouchers: issuance, redemption, reversal, expiry, transferability
|
||
- Subscriptions: proration, upgrade/downgrade, trial extension, seat counts, meter reporting
|
||
- Refunds/returns/RMAs: multi-item partials, restocking fees, return window edges
|
||
- Admin/staff operations: impersonation, manual adjustments, credit/refund issuance, account flags
|
||
- Quotas/limits: daily/monthly usage, inventory reservations, feature usage counters
|
||
</high_value_targets>
|
||
|
||
<exploitation_techniques>
|
||
<state_machine_abuse>
|
||
- Skip or reorder steps via direct API calls; verify server enforces preconditions on each transition
|
||
- Replay prior steps with altered parameters (e.g., swap price after approval but before capture)
|
||
- Split a single constrained action into many sub-actions under the threshold (limit slicing)
|
||
</state_machine_abuse>
|
||
|
||
<concurrency_and_idempotency>
|
||
- Parallelize identical operations to bypass atomic checks (create, apply, redeem, transfer)
|
||
- Abuse idempotency: key scoped to path but not principal → reuse other users' keys; or idempotency stored only in cache
|
||
- Message reprocessing: queue workers re-run tasks on retry without idempotent guards; cause duplicate fulfillment/refund
|
||
</concurrency_and_idempotency>
|
||
|
||
<numeric_and_currency>
|
||
- Floating point vs decimal rounding; rounding/truncation favoring attacker at boundaries
|
||
- Cross-currency arbitrage: buy in currency A, refund in B at stale rates; tax rounding per-item vs per-order
|
||
- Negative amounts, zero-price, free shipping thresholds, minimum/maximum guardrails
|
||
</numeric_and_currency>
|
||
|
||
<quotas_limits_inventory>
|
||
- Off-by-one and time-bound resets (UTC vs local); pre-warm at T-1s and post-fire at T+1s
|
||
- Reservation/hold leaks: reserve multiple, complete one, release not enforced; backorder logic inconsistencies
|
||
- Distributed counters without strong consistency enabling double-consumption
|
||
</quotas_limits_inventory>
|
||
|
||
<refunds_chargebacks>
|
||
- Double-refund: refund via UI and support tool; refund partials summing above captured amount
|
||
- Refund after benefits consumed (downloaded digital goods, shipped items) due to missing post-consumption checks
|
||
</refunds_chargebacks>
|
||
|
||
<feature_gates_and_roles>
|
||
- Feature flags enforced client-side or at edge but not in core services; toggle names guessed or fallback to default-enabled
|
||
- Role transitions leaving stale capabilities (retain premium after downgrade; retain admin endpoints after demotion)
|
||
</feature_gates_and_roles>
|
||
|
||
<advanced_techniques>
|
||
<event_driven_sagas>
|
||
- Saga/compensation gaps: trigger compensation without original success; or execute success twice without compensation
|
||
- Outbox/Inbox patterns missing idempotency → duplicate downstream side effects
|
||
- Cron/backfill jobs operating outside request-time authorization; mutate state broadly
|
||
</event_driven_sagas>
|
||
|
||
<microservices_boundaries>
|
||
- Cross-service assumption mismatch: one service validates total, another trusts line items; alter between calls
|
||
- Header trust: internal services trusting X-Role or X-User-Id from untrusted edges
|
||
- Partial failure windows: two-phase actions where phase 1 commits without phase 2, leaving exploitable intermediate state
|
||
</microservices_boundaries>
|
||
|
||
<multi_tenant_isolation>
|
||
- Tenant-scoped counters and credits updated without tenant key in the where-clause; leak across orgs
|
||
- Admin aggregate views allowing actions that impact other tenants due to missing per-tenant enforcement
|
||
</multi_tenant_isolation>
|
||
|
||
<bypass_techniques>
|
||
- Content-type switching (json/form/multipart) to hit different code paths
|
||
- Method alternation (GET performing state change; overrides via X-HTTP-Method-Override)
|
||
- Client recomputation: totals, taxes, discounts computed on client and accepted by server
|
||
- Cache/gateway differentials: stale decisions from CDN/APIM that are not identity-aware
|
||
</bypass_techniques>
|
||
|
||
<special_contexts>
|
||
<ecommerce>
|
||
- Stack incompatible discounts via parallel apply; remove qualifying item after discount applied; retain free shipping after cart changes
|
||
- Modify shipping tier post-quote; abuse returns to keep product and refund
|
||
</ecommerce>
|
||
|
||
<banking_fintech>
|
||
- Split transfers to bypass per-transaction threshold; schedule vs instant path inconsistencies
|
||
- Exploit grace periods on holds/authorizations to withdraw again before settlement
|
||
</banking_fintech>
|
||
|
||
<saas_b2b>
|
||
- Seat licensing: race seat assignment to exceed purchased seats; stale license checks in background tasks
|
||
- Usage metering: report late or duplicate usage to avoid billing or to over-consume
|
||
</saas_b2b>
|
||
</special_contexts>
|
||
|
||
<chaining_attacks>
|
||
- Business logic + race: duplicate benefits before state updates
|
||
- Business logic + IDOR: operate on others' resources once a workflow leak reveals IDs
|
||
- Business logic + CSRF: force a victim to complete a sensitive step sequence
|
||
</chaining_attacks>
|
||
|
||
<validation>
|
||
1. Show an invariant violation (e.g., two refunds for one charge, negative inventory, exceeding quotas).
|
||
2. Provide side-by-side evidence for intended vs abused flows with the same principal.
|
||
3. Demonstrate durability: the undesired state persists and is observable in authoritative sources (ledger, emails, admin views).
|
||
4. Quantify impact per action and at scale (unit loss × feasible repetitions).
|
||
</validation>
|
||
|
||
<false_positives>
|
||
- Promotional behavior explicitly allowed by policy (documented free trials, goodwill credits)
|
||
- Visual-only inconsistencies with no durable or exploitable state change
|
||
- Admin-only operations with proper audit and approvals
|
||
</false_positives>
|
||
|
||
<impact>
|
||
- Direct financial loss (fraud, arbitrage, over-refunds, unpaid consumption)
|
||
- Regulatory/contractual violations (billing accuracy, consumer protection)
|
||
- Denial of inventory/services to legitimate users through resource exhaustion
|
||
- Privilege retention or unauthorized access to premium features
|
||
</impact>
|
||
|
||
<pro_tips>
|
||
1. Start from invariants and ledgers, not UI—prove conservation of value breaks.
|
||
2. Test with time and concurrency; many bugs only appear under pressure.
|
||
3. Recompute totals server-side; never accept client math—flag when you observe otherwise.
|
||
4. Treat idempotency and retries as first-class: verify key scope and persistence.
|
||
5. Probe background workers and webhooks separately; they often skip auth and rule checks.
|
||
6. Validate role/feature gates at the service that mutates state, not only at the edge.
|
||
7. Explore end-of-period edges (month-end, trial end, DST) for rounding and window issues.
|
||
8. Use minimal, auditable PoCs that demonstrate durable state change and exact loss.
|
||
9. Chain with authorization tests (IDOR/Function-level access) to magnify impact.
|
||
10. When in doubt, map the state machine; gaps appear where transitions lack server-side guards.
|
||
</pro_tips>
|
||
|
||
<remember>Business logic security is the enforcement of domain invariants under adversarial sequencing, timing, and inputs. If any step trusts the client or prior steps, expect abuse.</remember>
|
||
</business_logic_flaws_guide>
|