Logical loopholes in security testing

        For security testing , Our first reaction was to have a professional security team , Will use some existing open source or self-developed security vulnerability scanning tools . Some vulnerabilities were found after scanning , And then to verify . But this method also has some disadvantages , There are some false positives in the scanning results , Cause developers to repair , Discovery initiation is not a security vulnerability . At the same time, for a security team , Their workload is also huge . At this time, it is necessary for every tester to master the necessary security tests .

        For security testing , Common types of vulnerabilities include XSS,SQL Inject ,CSRF、 File upload vulnerability 、 Logic loopholes, etc

This paper mainly analyzes the logical loopholes , For logical loopholes, it depends on WAF、RASP It is difficult to find vulnerabilities when the security system is scanned , It mainly considers the problem of permission control and verification in advance when developing and designing . The discovery of such vulnerabilities , Usually by hand , Or mining in a semi-automatic way , At this time, for testers , They know the business best , Therefore, it is more suitable for testers to explore such vulnerabilities . Logical vulnerabilities mainly include the following aspects ：

        One 、 Ultra vires loophole , Including the level of ultra vires 、 Vertical ultra vires

        The level is beyond authority , Suppose the user A And users B Users with the same permission level , When the user A Access to users B Private data , It is called horizontal ultra vires . When we were testing , have access to BurpSuite Grab A User packets , Then the requested resources ID Replace with B User , Re contracting , If the result is B The data of , Then there is horizontal ultra vires .

        Vertical ultra vires , Suppose the user A It's the average user , user B It's the administrator , When the user A Access to users B Private data , It is called vertical ultra vires , Also known as permission promotion . The test method is the same as level ultra vires , take A User's data , It is amended as follows B Administrator's data , If you return B User information for , Then there is vertical ultra vires .

        unauthorized , It is to access a page or interface that requires login , Delete the login credentials and access again .

        Two 、 Captcha vulnerability , Including whether the verification code can be exploded , By using BurpSuite adopt Intruder, Set up payload, Blast the validation field , Look at the length of the return , You can know which value is successful .

        3、 ... and 、 Business logic loopholes , In the transaction process , Because the back-end does not perform mandatory verification on the bill of lading data , This leads users to buy goods at a lower price than normal . For example, when the order is paid , If you can BurpSuite Carry out the bag , Modify the payment amount , Or the quantity of goods , Still pay successfully , Then there is a logical flaw in this payment interface .

        summary , These are three simple logical security vulnerabilities , It requires testers to excavate manually .