A case mapping collision in Unicode is a business logic flaw, and at its core, can lead to an account takeover of accounts not protected by 2FA. To illustrate the vulnerability in question, let's look at an example of this bug in a real code snippet:
Web applications have encroached on our lives, handling important tasks and sensitive information. There are many tools that check application code for implementation-level vulnerabilities but they are often blind to flaws caused by violation of design-level assumptions. Fixing such flaws after code deployment is costly. In this work, we seek to retroactively identify business logic flaws or design-level flaws by generating security tests during the design phase using available software artifacts. Specifically, we take in use case scenarios and automatically generate misuse case scenarios based on user-defined design constraints. By running those misuse case scenarios using already existing testing code written for functional use cases, we can discover potential design flaws during the coding phase. We apply our approach to two widely used open-source applications which have high-quality feature files. Running our generated misuse case scenarios discovers, and hence, potentially prevents seven flaws. Among them, several were only fixed in hindsight after someone stumbled upon a bug, with the remaining being new issues.
Case Study : Exploiting a Business Logic Flaw with GitHub’s Forgot Password workflow (discovered b
2ff7e9595c
Comments