Business Logic Vulnerability:

2 min readDec 18, 2021

How I was able to Load Money Into My Account.

What are business Logic vulnerabilities?

Business Logic Vulnerabilities come down to imperfections within the execution and plan of your application or site. In the event that you accept that your site or app is as it was progressing to be utilized by genuine clients, there will be no frame of security against malevolent assaults. In these circumstances, you’ll have assailants controlling the genuine usefulness of your site as an exertion to total noxious objectives. The malicious behaviours that are carried out in these attacks can lead to the chance that your site may well be closed down or a circumstance may be made where your application or site capacities in a few imperfect manners.

How can an attacker utilize it?

Imperfections within the rationale can permit aggressors to thwart these rules. For case, they could be able to total an exchange without going through the planning buy workflow. In other cases, broken or non-existent approval of user-supplied information might permit clients to form self-assertive changes to transaction-critical values or yield absurd input. Bypassing unforeseen values into the server-side rationale, an assailant can possibly actuate the application to do something that it isn’t gathered to.

Vulnerability Discovered:

The vulnerable application has an e-wallet to store the sum while paying bills at their eatery. The first initial approach was to understand how their payment gateway was working.

The payment gateway acknowledges the instalments for the wallet to be made as it were Credit/Debit cards for the exchange and they are utilizing, I attempted giving arbitrary generator card esteem but the right check was input not permitting test cards.

So I decided to make a purchase then identify how it’s working the usual API-call is working as I thought it is relying on the third payment gateway alongside with transaction id value with the state parameter

For example, let’s have a look at this request:

POST /xxxx/xxxxxx HTTP/1.1
Connection: close
Content-Length: 473
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Origin: <REDACTED>
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors

Lazy Kid | Security Analyst |