Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 35: Business Logic Vulnerabilities

by | Apr 16, 2025 | 0 comments

Objective

Learn how to identify and exploit Business Logic Vulnerabilities in web applications to bypass intended functionality or abuse application features. Understand how to mitigate these flaws by validating business rules on the server side and securing critical processes.

Scenario

You are evaluating a vulnerable e-commerce website where users can apply discount codes to reduce the total cost of their orders. Due to improper server-side validation, attackers can manipulate requests to apply excessive discounts, skip payment verification, or gain unauthorized benefits.

Lab Setup

Prerequisites:

  • Basic knowledge of PHP and HTTP request manipulation.
  • XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
  • Tools like Burp Suite or browser developer tools for request manipulation.

Step 1: Create the Vulnerable E-commerce Application

  1. Database Setup
    • Create a database and tables for products and discount codes: CREATE DATABASE ecommerce_lab; USE ecommerce_lab; CREATE TABLE products ( id INT AUTO_INCREMENT PRIMARY KEY, name VARCHAR(50) NOT NULL, price DECIMAL(10,2) NOT NULL ); CREATE TABLE discounts ( code VARCHAR(20) PRIMARY KEY, discount_percent INT NOT NULL ); INSERT INTO products (name, price) VALUES ('Laptop', 1000.00), ('Smartphone', 500.00); INSERT INTO discounts (code, discount_percent) VALUES ('SAVE10', 10), ('VIP50', 50);
  2. PHP Script for Product Purchase (Vulnerable)
    • Create a file purchase.php: <?php $conn = mysqli_connect("localhost", "root", "", "ecommerce_lab"); if (isset($_POST['buy'])) { $product_id = $_POST['product_id']; $discount_code = $_POST['discount_code']; $product_query = "SELECT * FROM products WHERE id = $product_id"; $product_result = mysqli_query($conn, $product_query); $product = mysqli_fetch_assoc($product_result); $price = $product['price']; if (!empty($discount_code)) { $discount_query = "SELECT * FROM discounts WHERE code = '$discount_code'"; $discount_result = mysqli_query($conn, $discount_query); if (mysqli_num_rows($discount_result) > 0) { $discount = mysqli_fetch_assoc($discount_result); $price -= ($price * ($discount['discount_percent'] / 100)); } } echo "<h2>Product: {$product['name']}</h2>"; echo "<h3>Total Price: \$$price</h3>"; } ?> <h2>Purchase Product</h2> <form method="POST" action=""> Select Product: <select name="product_id"> <option value="1">Laptop - $1000</option> <option value="2">Smartphone - $500</option> </select><br> Discount Code: <input type="text" name="discount_code"><br> <button type="submit" name="buy">Buy Now</button> </form>
  3. Running the Application
    • Start the Apache server.
    • Place purchase.php in the web server’s root directory (htdocs for XAMPP).
    • Open http://localhost/purchase.php in your browser.

Exploitation Steps

Step 1: Applying an Unauthorized Discount

  1. In the Discount Code field, enter VIP50 while selecting the Laptop.
  2. Intercept the request using Burp Suite or browser developer tools.
  3. Modify the discount code in the request to VIP100 (an invalid code).

Expected Result:

  • The server applies a 100% discount, allowing the purchase of the laptop for free due to lack of server-side validation.

Step 2: Manipulating the Price Directly

  1. Change the price parameter in the intercepted request to 1.

Expected Result:

  • The server processes the purchase at $1, bypassing proper pricing validation.

Solution and Prevention

Problem Analysis

  • The server trusts user input for discount codes and pricing without verification.

Fixing the Vulnerability

  1. Validate Discount Codes Server-Side
    • Check discount codes and enforce limits: $allowed_discounts = ['SAVE10', 'VIP50']; if (!in_array($discount_code, $allowed_discounts)) { die("Invalid discount code."); }
  2. Prevent Direct Price Manipulation
    • Avoid accepting price input from the client: $product_query = "SELECT price FROM products WHERE id = $product_id"; $product_result = mysqli_query($conn, $product_query); $product = mysqli_fetch_assoc($product_result); $price = $product['price'];
  3. Enforce Business Logic Validation
    • Add server-side validation to ensure the integrity of discount codes and order processing.
  4. Limit Discount Code Usage
    • Track usage frequency to prevent abuse: $usage_query = "SELECT COUNT(*) AS count FROM orders WHERE discount_code = '$discount_code'"; $usage_result = mysqli_query($conn, $usage_query); $usage = mysqli_fetch_assoc($usage_result); if ($usage['count'] > 5) { die("Discount code usage limit exceeded."); }

Testing After Fix

  1. Attempt to apply an invalid discount code like VIP100.
  2. Expected Result:
    • The server rejects the request and displays an error.
  3. Attempt to manipulate the price in the request.
  4. Expected Result:
    • The server calculates the price using the product database value, preventing tampering.

Conclusion

In this lab, you exploited Business Logic Vulnerabilities by manipulating discount codes and pricing to bypass intended application behavior. You also learned how to prevent such vulnerabilities by enforcing server-side validation, implementing secure business rules, and limiting discount code abuse.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *