PG - Breaking The Giants With Logic

hi everybody it's guy mcdoudfella one of the co-chairs of the proving ground track at b-sides las vegas our next talk is breaking the giants with logic by ali kabil who was mentored by nick rosario hello everybody and welcome to besides las vegas um it's a pleasure to be upon you here today at least virtually i'm kabil and today we'll be talking about breaking the giants with logic so let's kick off with some who am i um i'm a computer science engineering student at the german university in cairo i have been a bug hunter and a security researcher for around six to seven years now um mostly my research interests revolve around web application security network security

and um security new architectures like microservices um something i'm extremely passionate about is exploiting vulnerabilities in web applications and networks bare-handed without using tools just by using my basically my brain um it's my first time here to be a speaker besides las vegas and if you would like to connect with me you can find me at logicbreaker on twitter and at having lington so before we start i would like to take a second to look at the title of the presentation breaking the joints with logic so there are two very interesting words here which are the joints and logic so if you have had a look at the buy of the presentation you should know that

the giants refer to big um social media platforms like facebook and instagram and so on but now let's take a look at the other part which is logic um i won't take a step back and talk about logic before actually the era of security and that's all just logic in science in mathematics in physics and so on so logic is basically what people think is right what people think is wrong a set of rules or a set of intuitions that people think make sense so for instance if you wake up today it's extremely sunny you tell your friend it's going to rain he will tell you this is not logical because this doesn't make any sense there is no proofs for that

there is nothing that actually say that this will happen um so this is logic in real life um like everything uh computer science actually is very heavily relied on logic so let's take a look at this code for instance um the developer here just tried to create a very simple function that given two numbers will return the summation of those two numbers um seemingly there is a typo here where instead of using a plus sign to add them use the multiplication sign to multiply so this code will compile um it will factor on correctly there will be no problem but the results here will be actually not expected you add one to two and then

you get two because there is no addition it's multiplication so this is something like the simplest logical vulnerability that you can find it's not a security valuated security bug it's basically something that make the code not useful for you you're trying to add but then you get to multiply um moving forward um as i told you i've been a bank hunter for around six to seven years and there is one thing that really frustrates the contract which is duplicates duplicates are extremely frustrating uh for those coming from number hunting backgrounds let me tell you what dublicates are quickly duplicates are basically reporting security vulnerabilities or bugs to secure to firms or companies and so on and they told you

okay we already know about this vulnerability it's known internally another researcher reported and so on so you invest a long time searching for the vulnerability writing along your report and so on and you end up with nothing because somebody else was faster than you and from my humble experience i can tell you that usually duplicates arrive from the people using same tools all the time so i'm not against automation i extremely love information but there is something about it that makes it a little bit a code of duplicates people use exactly the same tools against exactly the same website so they end up with the same results they report it and it's extremely rare unless you are

very lucky that those vulnerabilities will be valid because people report those all the time so it's not a big chance at all the issue here is um if you ever got stuck before in the friend zone and you think it's a bad place to be think about the dublin though the dublin zone is a horrible place to be i have seen some great talents quit because they can't tolerate the amount of duplicates um and after thinking a little bit i thought that the best way to get out of the duplicate zone is one of two weight the first way is just be extremely tech savvy take here studying coding and so on and dig deep into

frameworks like larvae find zero days and report them and that's something that takes a lot of time a lot of effort and so on um but there is an easier way to do it which is just using your brain get out of the code um get your eyes off the code and start thinking what the application of testing is supposed to do what i can do to make it change that behavior so a very good example of that if we take an e-commerce platform for instance you're just buying some goods and then they're like totaling 100 and now what you're doing is you just going to check out and then you think okay before i go to checkout i will just

press buy and capture the request using a proxy like burp suite for instance so you do that and then you find a very weird parameter in the um in the code this parameter is called the price so you change the price from 100 to one dollar and allow the request to pass in peace and then eventually you kind of find yourself buying only all those goods for one dollar and that's actually a huge vulnerability here you are buying things for one dollar or point one dollar why they can cause thousands of dollars because the developer didn't pay enough time uh to validate this point to make sure that people want temperature relied on front-end validations and so on that he

will be sending the uh parameter right away so now this is one example of a series security vulnerabilities in e-commerce website so before we go on to the case studies i would like to take some time to get a bit of theory and let's borrow some definitions and theory from our friends at the time port swagger um the they define business logic vulnerabilities those vulnerabilities that can impact the business adversely they are usually not easy to find and not easy to protect against because they rely on the unique thinking of the attacker it's about how people um approach your application how people think about this feature you may you may say a similar very honest

innocent feature and then this innocent feature can turn out to be devastating for instance one example of that is the reset password the reset password is one of the most useful features you just use it to reset your password whenever you forget it so let's assume that you forget your password that other day on example.com you go to this reset password you enter your email you got an email and the email had two fields a user id and a token so now you thought as a security researcher that user id is an integer and it seems to be incrementing integers so what will happen if i just decrement it or increment it a little bit and see what happens so you do that

you write your new password and you find yourself in a totally different account than yours and you have got a full account takeover just by manipulating that parameter this is another example of business logic vulnerability um the user the sorry the developer here didn't take care that he should define that specific token to that specific user id he just checked is it talking okay yes it's okay and it may be a very strong token with very strong cryptography that's not easily breakable and then he just say okay is this a valid user id then just reset the password and you've got to pull account take over that way another very unique system that i have

been hunting for long are the hacking imitation systems um hacking imitation system is one of the examples of uh finding business logic vulnerabilities and let's see how this go so here i'm talking about invitation systems using emails so you've got the invitational email so let's assume that we have uh one of those social media platforms and then you have something like a group structure where you can invite people to groups and so on and the admin sent you an invitation to join the group so the invitation looks something like that example.com and contain some interesting parameters highlighted here group id sender id member type documents on so the first thing i would think when looking at this i found the group id

and it's a numeric one so what will happen if i change that group id so for instance i change it from one to three to any other thing maybe one two two will i be able to join that group if that happened this is definitely a security vulnerability here and it's not something that uh tightly related to the code because this will trigger no errors it will just do it correctly but you're not supposed to join the group there is no check that prevents you from doing so if you have ever been on clubhouse for instance you can see that when you join clubhouse you will have something under your profile saying um you were invited by so and so so

here we have the sender id and let's assume that this is an invitation to clubhouse and then you change the sender id to a celebrity name and now this is the liberty account id and you use this invitation link and now it says on your profile that you were invited by the celebrities so and so now you can claim that you know that's liberty this can help you extremely and fraud it can help you to get publication that's not yours and so on and so forth because again this is not a check parameter in groups usually there are some kind of admins moderators members and so on so the member size indicates which privileges you are having so let's

assume that you changed that one in the member's life and then you'd like it to be a zero or type it to be a two uh and so on and you find yourself doing some privilege escalation so instead of being a member i changed it to and now i'm an admin or i'm moderator so you have not some privilege escalation because members type again is not just check and then we can find the token and the token usually um can suffer from things like quick cryptography can suffer from things like being brute forceable and so on and so forth um this is about what we can see and observe in the link itself but taking a step back

and thinking about behind what we see we can see that there are other examples where we can abuse this invitation system for instance um let's assume that you send this invitation to your friend and then you both can join the group using the same invitation so you and your friend can join using the same invitation now let's assume that the group implies some kind of um access controller where the admin should approve you but because the admin sends you the invitation it's already approved and now you are using that invitation to invite others so you are doing some kind of privilege escalation again because you are approving people to groups and you shouldn't be allowed to

do so another very interesting uh example of abusing this is being able to use the invitation multiple times yourself so you join the group then you leave the group you use the invitation you join the group again and so on this can be extremely enough especially if an admin just through out of the group because you violated the rules and so on and then you can just use the invite to get back in and there is nothing they can do so this can get really bad here um some of you might think that this is purely theoretical and it might not exist in real life but the case studies will prove you wrong um so we have two interesting case studies

here the first is about creating ghost users in facebook groups and the other is about how to become an invisible stalker instagram so i have been spending a lot of time uh hunting invitation systems especially that of facebook groups and i have found some interesting videos that i will be sharing with you so the idea of joining multiple times indeed existed you could just use the same invitation link to join the group leave the group join the group and so on so this indeed existed in facebook it was not just imaginary vulnerability um joining with friends also existed you were able to join us with your friends you just shared the link and then you all joined

at the same time and the link will work perfectly it doesn't really have any problems with that so again you violated the admin controls um the most interesting one was joining as a ghost user so facebook has that something like um the preview mode in groups where you actually appear to be um seeing the group you are not yet a member but you are seeing the group to accept or reject the invitation usually this is intended just because you uh get an invitation you go to the group you see it okay i'll join it or not join it but i was thinking what will happen if i stayed in that preview mode so seemingly there was an interesting

security vulnerability that once you get in that review mode by clicking on the invitation you didn't accept and you didn't reject you just previewed the group now the invitation disappear from the admin panel of the group they can't remove that invitation at the same time you are not a group member so you are stuck in the state where you can see the group you can join it anytime but the admins can't remove you so now you are a ghost tutor and you can join any time potentially same thing that you are not authorized to see because admins can't simply move him so facebook solved that by trying to do a lot of fixes but one of the

interesting fixes was actually moving the feature all together from the new ui facebook um so i was thinking is that a limit for me so i no longer can exploit this vulnerability but then i thought maybe i should look a bit into that application behind the front end so i tried to create a normal invitation not a group invitation and send it to my proxy and verb suite and i saw that the email parameter that i used to exploit was still there it's not visible from the front end but the back end still have it so i thought okay maybe i will try it and i submitted an email and i was able to actually invite

somebody to join the group even though there's no feature like that in the front and the bugs were back to life because the back end system was still there this is another logical vulnerability here is that you just assume that whenever you remove the front and nobody know about your backend system nobody can exploit them security of security doesn't always work because people sometimes already know about it um so that's about facebook and invitation system now we'll be having a look at instagram and how to become an invisible stock on instagram so soccer nowadays change it from before they no longer stand behind trees like that guy um stalkers now usually use social media so to be a stalker there are

two main points that you do you shouldn't be detected anyway if people detected you they would be anxious when dealing with you and it wouldn't be the really that's nice at all the second thing is you should have full permanent access to your victims socially the more you are on their social media the more you know about them and the more you can achieve your bad stalking deeds and then i can tell you happy talking now you can do it um so thinking about it i was on instagram that day and i was thinking okay so instagram had this feature of blocking people and following them like a social media platform so i had that person that i didn't

really like so i thought about blocking them so i just blocked them and then i found something really interesting when i blocked them the follow button was still working so there was still that follow button so i think this is really weird how can i block them and then i can just follow them so i said okay i will open my test account i block my test account and follow it and now the magic happens you are blocking somebody so they can't see you you won't appear in their followers list or anything but you at the same time you are forward to them so it's more or less that you are blocking them they can see you they can

see your comments they can't find you in the friend list and so on but same time you are just in their followers list you can see their pictures you can see their friends um you can like their comments and they will not even see that you like them and so on and so forth so basically you are permanently they're in their instagram account they have nothing to do they don't know you even exist um so this was another example of a business logic vulnerability it's not something that's triggering an error in the code it's about thinking how can somebody block and follow but at the same time it doesn't make any sense so moving forward um i would like to

share some final thoughts before i conclude this presentation the first of which is how to kick off finding a business login vulnerabilities so business logic vulnerabilities are not easy to find because they rely on your unique thinking so i would encourage you to just use the application as normal user avoid sending a ton of requests and automating everything before you have to use the application use automation but also use the application as a normal user get to know which features are working which features are not working which fixers can be exploited and the other thing that you can use to learn about physical vulnerabilities read previous reports reading previous reports is extremely um helpful here you can read it from

things like hacker one or otherwise you're free to do so but they have many insightful ideas about business logic vulnerability and the nice thing is those flows re-exist so invitation systems that i was talking about may exist in twitter they exist otherwise they exist in nearly all social media platforms so you can try the same way of thinking in other places and it may work with you so yes business logic can be reused vulnerability in an ecommerce website most probably can exist in others too so that's another thing to do using business logic um now moving forward about uh what i plan to do in the future um although i'm not a big fan of

automating things altogether but i think that automating is good once you get a grasp of the application so i want to work on something like a framework that will incorporate everything that i have learned about business logic vulnerabilities or the interesting vulnerabilities that i have came through and try to automate finding them in other websites so for instance automating finding about the invitation system in other social media platforms or other platforms that use um invitation systems so finally i would like to take this child to thank my mentor at chembox i would also thank you nicolas i would also like to thank simbian simo at zigo and at ceremetrix those people helped me a lot during my

journey they are extremely talented security researchers and i would encourage you to invite them sorry to follow them because they they have very insightful tweets regarding security and so on so that's about it thanks for watching and if you have any questions i'll be glad to answer them now that was great so let's get to some questions uh our first question is from social engineer uh so regarding invite lead invite lead invite leave which is your i think your first uh uh example could that lead to a type of uh denial of service or distributed denial of service against the application um to the best of my knowledge it's really hard to do so because joining and leaving would just

be mapped to something like adding an invitation to the database and removing it from the database so it's really hard to do that at scale also the fact that you need an invitation in first place means that you will need a lot of different invitations to execute that scale so i don't think that the most abundant attack would be a denial of service or distributed demand service in that case sure yeah there's that's an it's an edge case it's doable but it would be it'd have to be a pretty slim edge case i would think um yes and it really depends on how invitations are stored if they are not removed when the person just

go out of the group so we are kind of filling up the database with junk invitations in that case it may lead to some kind of denial of service attack here sure okay how often you talk about finding business logic issues in the back end even though features have been removed in the front end how often would you find an issue in back end versus front end would you say more often than people would think because usually um when a feature is removed or when the front end changed the back end is not cleaned completely so sometimes end faults are still exposed in the back end so this happens multiple times but actually i know that

the front end endpoint exists and i already contested it so i have some knowledge of the end point or the request structure and so on and when i submit it again it actually works even though it no longer exists in the front end okay what about so to sort of follow up to that question i mean it's one thing to find an issue with you know functionality that remains in the back end despite the code being removed from the front end what about things like undocumented api hooks where there used to be functionality or used to be featured that supported was supported by a company in a framework and they've deprecated it but it still

exists how often do you find stuff like that it's really not straightforward to find you will have to dig deep into the application so it's not as common as already knowing the end point but yes of course it happens uh but you need to dig into something like um way back machines and respond together in points that are depreciated and they are not present now so you need to do a lot more work when it's not documented usually the easiest way to do it is just visiting all documentation so if all documentation exists and this endpoint was there maybe you can find something worthy looking at sure sure so you've focused on in in this talk you

focused on facebook and on instagram what's picking your interests now uh where have you been looking um actually i've been looking into snapchat for a pretty long time there are a lot of things that i've actually managed to exploit there most of them are not yet published but one thing that's really interesting about snapchat resistance is what they call a second order divide of service attacks second order general service attacks are basically attacks where the attacker can store junk data in the database with huge amounts and then if this database is shared with other users you can just cause the line of service effect to this user when you try to retrieve the data because they are receiving a huge amount

of data so basically the stack is as simple as filling the database with a lot of information and then when the user tries to retrieve this data the request takes a lot of time and it finds out so they are denied from entering the i would imagine that could also lead to other issues related to concurrency and disk usage and stuff like that i'm sorry i didn't get it i would as a result of not only just filling database with junk data and making it making the application take time to retrieve it i could see that also running into issues of database concurrency as well as um disk usage resource utilization

well um one thing that you had mentioned to me prior to us coming on for q a was uh the proof of concepts for those vulnerabilities would you like to talk about where we could find those uh yes of course all the vulnerabilities covered in the talk uh can be found on the security block security is the company where i work at now the application security intern so they are documented with videos there um i will be posting the link directly on twitter after this talk so people can find it easily also on the discord channel of course excellent well thank you so much this has been a great talk uh you know business logic is always

something that's overlooked and yet it's you know the underpinnings of everything we do so it was i think very well received and i really appreciated it thank you so much great thank you so much it's a pleasure to be with you sure absolutely