Overview of logic vulnerabilities
What is a logic loophole?
After the code is human logic, people are more likely to make mistakes, so logic loopholes always exist.
Vulnerabilities such as sql injection and xss can be avoided through security frameworks. This attack traffic is illegal and destroys the original program. The firewall can detect it, while logical vulnerabilities can be destroyed through legal and reasonable methods, such as password retrieval due to insufficient program design. , There will be a lot of problems, the way of destruction is not the way of prevention
Common logic loopholes:
various logic loopholes such as transaction payment, password modification, password retrieval, unauthorized modification, unauthorized inquiry, breakthrough restrictions, etc.
Logical vulnerability classification
Verification mechanism flaws
Session management flaws
Authority management flaws
Business logic flaws
Login flaws
Payment logic flaws
API misuse
Authentication mechanism:
Identification: whoknows, who has, who is
The most common way is that the information system requires users to submit their username and password.
Access control:
From the perspective of control, authority management can be divided into two categories:
功能级权限管理
数据级权限管理
从控制方向看,也可以将权限管理分为两大类:
从系统获取数据比如查询
向系统提交数据比如删除修改
Business logic:
Every business system has different business logic, and the business logic is in the people. A full understanding of the programmer's thinking helps to find the problem.
Session management issues:
Token (or Request) has meaning data, such as:
User name: user, admin, system
User ID:
0001, 0002, 0003 User authority: admin, 00101, 01000
Predictable tokens:
user tokens have certain rules and can be predicted by others, such as ID number, student number, mobile phone number, time, etc.
Thinking: Are ten-digit timestamps and ten-digit sequence codes safe?
Understanding: Every second will produce the possibility of ten to the power of ten, and it is extremely difficult to blast.
Token can be obtained: The
user token is transmitted and stored insecurely and is easily obtained by others: the
user token is transmitted in the URL: it is transmitted in plain text and sent to others.
The user token is stored in the log: it is easy to obtain by unauthorized users.
The token does not expire (it will cause a fixed session attack): the
user token adopts insecure transmission and storage, and it is easy to be obtained by others: the
token validity period is too long (to invalidate the token within a period of time), and the number of token attempts is too many (The token must be invalidated when the number of submissions is certain), resetting of invalid tokens.
Ineffective anti-replay measures:
such as preventing CSRF tokens. Can use Burp Suit Macros (macro) to bypass.
Invalid login failure function processing:
picture verification code bypass: the verification code is not valid, not updated, or invalid, the verification code can be predicted, deleted, and obtained, the verification code can be identified, and the verification code can be identified. Find other login pages.
SMS verification code bypass: 4/6 digits brute force cracking, tampering with mobile phone number, tampering with response.
API logic vulnerabilities:
unencrypted risks: credentials, transmission data disclosure, resource information leakage.
