These docs are for v1.1. Click to read the latest docs for v1.2.

Business Constraint Bypass

Severity: Medium
Test name: Business Constraint Bypass
Summary

Business Constraint Bypass is a type of vulnerability that may cause DoS, other types of resource consumption and (which could be more critical to business) may give access to more data than necessary. The issue arises when design and development teams make mistaken assumptions about how users will interact with the application. This may lead to inadequate validation of user input. For example, if developers assume that the users will pass data exclusively via a web browser, the application may rely entirely on the client side to validate the input. Such validation is easily bypassed by an attacker using an intercepting proxy. To perform an attack, the attacker looks for parameters with numerical values that control the amount of returned data (or other business parameters) and tries to change (increase) them, bypassing the default returned data restriction.

Impact

Sensitive data leakage

Example
  1. An online bookstore provides free access to the first 20 pages of each book. The remaining pages are only available after purchasing the book. The following request only returns 20 pages for users with free access.
https://{your_book_store}.com/book/{book_id}/pages-preview
  1. With the following request, an attacker can bypass the default data return limit (number of pages) with a parameter from the request and get the first 500 pages of the book:
https://{your_book_store}.com/book/{book_id}/pages-preview?limit=500
  1. Alternatively, the attacker could keep the default number of pages to preview (20), but bypass the page number where the counting starts and get pages 21-40:
https://{your_book_store}.com/book/{book_id}/pages-preview?offset=20
  1. As a result, with only a free account, the attacker can grab the entire contents of the book and lead the server to an unexpected load (if 500 pages are requested at once).
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  1. Avoid making implicit assumptions about user behavior or the behavior of other parts of the application. Verify and limit the user input that will be used as business parameters on both client and server sides.
  2. Please bear in mind that attackers can see the API requests to your application and manipulate the parameters. Additionally, the use of standard parameters (like limit, offset and others) should be validated and allowed only for those APIs for which it is necessary. Never trust that an API call will not be used or abused by anyone other than your application.
Classifications
  • CWE-639
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References