Hi there!
I spent some time trying to find out the bugs in the sites which I mostly use like Swiggy, Paytm, and on Bugv platform. I was mostly looking for the vulnerabilities like SQLi, XSS, XXE, SSRF, etc. and couldn’t not able to find a vulnerability that was of high impact or critical.
One fine day, I thought of giving it a try to android apps and decided to look for Business logic vulnerabilities.
I borrowed the rooted phone from my friend @Barunesh and tried to set up the proxy for intercepting the mobile apps. I followed the steps mentioned below:
- https://portswigger.net/support/configuring-an-android-device-to-work-with-burp (Portswigger Blog)
- https://www.youtube.com/watch?v=ENyEcwLaz-A&t=2032s
(Android SSL Pinning Bypass by Hacktify)
After setting up everything on the mobile, I installed some of the apps which I use and decided to give it a go.
Before that, I have solved the labs from Portswigger Web Security Academy for business logic bugs and read some writeups for the same.
In one of the app, there was one parameter related to price that was accepting the negative value, and as I am aware of the functionalities of the app. Now it was just a matter to exploit this behavior.
In a few min, I was able to spend any amount of money in the app without having to actually pay the money from my Bank Accounts.
The bug was critical. I quickly reported to the team and got my first bounty.
I have made a checklist which I refer for testing the business logic vulnerabilities which is majorly based on the excellent White paper by @irsdl from NCC Group.
References:
- https://portswigger.net/web-security/all-labs#business-logic-vulnerabilities
(Business Logic Portswigger Labs) - https://www.nccgroup.com/globalassets/our-research/uk/images/common_security_issues_in_financially-orientated_web.pdf.pdf
(NCC Group Publication White paper)
Feel free to drop any suggestions in the comments section or via my social handles.
Thanks for reading !!!.