T 5.167 Errors in the logic of web applications

To ensure that business processes can be mapped by a web application, individual functions are usually summarized in a complex application logic. In this respect, it is critical to a process in which order the individual functions or process steps are called up.

If such logical sequences are used for security-relevant functions of the web application, for example for user authentication, they can be manipulated unexpectedly (e.g. by bypassing individual steps) and thus controlled. Under certain circumstances, an attacker is able to bypass the security mechanism.

In addition, malicious actions can also be triggered when functions of the web application can be used for purposes other than those intended. For example, a contact form of a web application can be misused for sending SPAM when the specified contact address in the form can be changed.

Other examples:

• An web application has an input field to be restricted to a length of 20 characters. In addition to this, the data entered into this field is filtered by the web application. In this respect, filtering the data entered is more CPU-intensive than checking the length of the character string. If the more complex filtering is carried out prior to the length check, an attacker can fill the field with a very long character string that is processed by the resource-intensive filter component. Thus, a high consumption of resources that can be misused for denial-of-service attacks can be provoked due to the testing sequence.

• A discount is granted in an online shop when a specific product (product X) is ordered. However, a purchaser does not want to purchase product X, but product Y. Adding both product X and product Y to his shopping cart, the purchaser is granted the discount. The payment transaction, however, is cancelled by the user and product X removed from the shopping cart. Thus, there is no longer a claim to be granted a discount. The discount is still granted for product Y after the payment transaction has been returned to. Due to the lack of a final check of the criteria applicable to the discount, a fraudster can, as a result, change the purchase price for product Y in an unauthorised manner.