Logical loopholes will cause the business to face huge potential economic losses and the risk of sensitive data leakage. From the perspective of security testing, this article takes unauthorized logic loopholes as an example to introduce the mining method and practical process of logic loopholes.
1. What is the logic loophole of ultra vires
Definition: It refers to the fact that system users can access or operate unauthorized data and functions due to the lack of strict authority control logic of the system. Including horizontal override and vertical override.
Horizontal overreach: When there are multiple users with the same authority in the system, user A can access or operate resources of other users. As shown in Figure 1.1, users A, B, C, and D are all ordinary users. When user A can access user B or other user resources, horizontal overreach occurs.
Vertical overreach: When users with different permissions exist in the system, low-privileged users can access or operate resources of high-privileged users. As shown in Figure 1.1, when ordinary users or other low-privileged users can access user resources with higher permissions than their own, vertical overreach occurs.
Figure 1.1
2. Mining method for unauthorized logic loopholes
Based on the definition and classification of unauthorized logic vulnerabilities, and from the perspective of simulating attackers attacking vulnerabilities, the following two mining methods can be summarized.
2.1 Unauthorized access test
It means that users can directly access pages or information that require authentication without authentication and authorization. The specific process is:
1) Statistical test interface;
2) Use the packet capture tool to obtain the interface input parameters;
3) Do not fill in the cookie or fill in an invalid cookie to re-request;
4) Check the request result. If the correct cookie is returned, it means that there is an unauthorized access vulnerability in the interface.
2.2 Unauthorized access test
By capturing packets and modifying parameters, the client is bypassed to carry out the attack, so as to test whether there is an unauthorized vulnerability. The specific process is:
1) Statistical test interface;
2) Use the packet capture tool to obtain the interface input parameters;
3) Horizontal unauthorized test: analyze whether the input parameter identifies sensitive information of the user identity, if it exists, modify it to other test user information, and re-request to view the returned result, if the returned result is correct, there is a horizontal authorized vulnerability in the interface;
4) Vertical overreach test: Analyze the input parameters of high-level authority users, replace high-level authority user information with low-level authority user information, and re-request to view the returned results. If the returned results are correct, there is a vertical authority overreach vulnerability in this interface.
3. Excavation practice of Wanjia system’s unauthorized logic loopholes
3.1 Implementation tools and platforms
Capture tool: Use Charles, which is an HTTP proxy, HTTP monitor, reverse proxy tool that helps developers view all HTTP and SSL, HTTPS traffic between their machines and the Internet, including requests, responses, and HTTP headers (which contains cookies and cache information). Official website installation link: www.charlesproxy.com/documentati…
Request platform: use JD.com's internal testing platform DeepTest.
3.2 Unauthorized access test practice
Figure 3.1
First of all, determine the test interface. All interfaces of JD Wanjia APP need to be logged in to access, so they need to be verified one by one. To obtain interface and parameter information, the process is as follows:
(1) Open Charles and turn on the mobile agent;
(2) Check whether the mobile proxy ip and port are consistent with Charles settings, if not, change them to be consistent;
(3) Start the JD Wanjia APP on the mobile phone;
(4) View the corresponding interfaces and requests in Charles, as shown in Figure 3.1.
Take the user_baseinfo interface in Charles as an example to test the logic vulnerability of unauthorized access. First copy the interface, body, and cookie information from Charles' packet capture information, then modify the interface input parameters on the DeepTest platform and re-request. Among them, the entry parameter mainly modifies the cookie, because the verification of the login information is obtained from the cookie. Therefore, the essence of an unauthorized test is to modify the cookie information in the input parameter to invalid information and then re-request. Note that invalid cookies include not filling in cookies or filling in expired cookies. As shown in Figure 3.2, the interface does not fill in the cookie at this time, but after re-requesting, the result can still be obtained, that is, the user can still directly access the information that needs to be authenticated without authorization, indicating that the interface exists Unauthorized access logic vulnerability.
Figure 3.2
3.3 Unauthorized access test practice
Horizontal unauthorized testing: first determine all test interfaces, taking the order details interface test in Wanjia APP as an example, the interface input parameters obtained by capturing packets are:
{"from":"","orderId":"239703099155","sdkClient":"plugin_apple","appName":"apollo","isPublish":"","apolloId":"ca3d","apolloSecret":"7157","wjPin":"ceshibu3"}
Analysis of input parameters: Since there are two fields of orderId and wjPin in the input parameters to identify the user's identity, it is modified to other user information of the same level of authority, and the horizontal authorization test is performed. The requests and returned results before and after modification are shown in Figure 3.3. Let the currently logged-in user be user A, and modify the user information of the request entry to be user B. It can be found that after modifying the entry parameters, user A can still access B The user's order details, that is, the currently logged-in user can access the order details of other users, indicating that there is a logical loophole in the interface for horizontal overreach.
Figure 3.3
Vertical overreach test: In the Wanjia APP business, the store owner’s authority is higher than that of the store staff, so a vertical overreach test is required to verify whether there is a risk of leakage of the storekeeper’s information.
First of all, determine the specific authority of the shop owner more than the shop assistant, which needs to be specific to each interface. Then use the owner's authority to log in to the Wanjia APP, find the application that only the owner's authority can see, and perform the test process of requesting, capturing packets, analyzing parameters, modifying parameters, and re-requesting. Among them, modifying the parameters refers to modifying the cookie of the owner’s identity to the cookie of the employee’s identity. As shown in Figure 3.4, the result can be returned normally after re-requesting, indicating that there is a logical loophole in the interface for vertical overreach.
Figure 3.4
4. Summary and Suggestions
This article introduces the basic concept and mining method of unauthorized logic vulnerabilities, and introduces the main process of mining unauthorized logic vulnerabilities through three specific scenarios of Wanjia APP, including: determining the test interface capturing packets to obtain interface parameters analyzing parameters Re-request after modifying the input parameter information Analyze the returned result. Finally, through the logic vulnerability mining practice of Wanjia APP, the following two suggestions are put forward:
-
It is recommended to use the DeepTest interface automated testing platform, which can improve efficiency, facilitate maintenance and regression, and thus normalize logic vulnerability mining;
-
It is recommended to cultivate security testing awareness at work, such as:
(1) The addition, deletion, modification and query operations related to the account should be restricted by the current user identity;
(2) The way to obtain the current user identity should be obtained from the session;
(3) Do not use any plaintext data passed by the client as the authentication method;
(4) User-visible index fields should be set as irregularly as possible;
(5) Establish a test method set, continuously accumulate and execute it, and normalize security testing.
Finally: In order to give back to the die-hard fans, I have compiled a complete software testing video learning tutorial for you. If you need it, you can get it for free 【保证100%免费】
加入我的软件测试交流群:110685036免费获取~(同行大佬一起学术交流,每晚都有大佬直播分享技术知识点)Software testing interview applet
The software test question bank maxed out by millions of people! ! ! Who is who knows! ! ! The most comprehensive quiz mini program on the whole network, you can use your mobile phone to do the quizzes, on the subway or on the bus, roll it up!
The following interview question sections are covered:
1. Basic theory of software testing, 2. web, app, interface function testing, 3. network, 4. database, 5. linux
6. web, app, interface automation, 7. performance testing, 8. programming basics, 9. hr interview questions, 10. open test questions, 11. security testing, 12. computer basics
method of obtaining:
