Hackers of India

The art of exploiting logical flaws in web apps

By  Sumit Siddharth  , Richard Dean  on 06 Dec 2012 @ Blackhat

Abstract

In last 5 or so years we have seen a rapid demand for web application security testing. At times, security testers gets blinded by the traditional input validation flaws such as Cross Site Scripting or SQL Injection and can at times ignore the most critical part of the pentest which is assessing for logical flaws. Often logical flaws are seen/referred as just parameter manipulation using a MiTM tool, but the reality is that the logical flaws is all about understanding what the application does and then testing the logic. Over the years we have identified some insane logical flaws and we have decided to recreate some of our best logical flaw hacks so that others can learn from these. Some of these hacks will make you giggle, some might make you laugh and some will blow your mind off. These logical flaws are difficult to find and living in the world of automated web app testing tools, it reiterates the fact that running a web app scanner can never be the same as a manual pentest. The 1 hour talk will give people enough pointers on how to identify logical flaws or where to look for these.