Logic flaws

owasptop10

A logic flaw occurs when a programmer thinks a user will do always as they expect, and fail to handle scenario in which they don't.

  • The user visit the page "payment" before the page "checkout"
  • The user manually send a form and do not use the HTML form

A more concrete example is that if the developer used an HTML SELECT tag with a list of countries, the developer may not check the submitted value as they expect it to be within their list of countries.

PHP $_REQUEST logic flaw

authenticationbypass

The PHP variable $_REQUEST is sometimes used to access $_GET and $_POST. It's a merge of both, in case of conflict, $_POST values win.

It may be used for convenience, for instance, when chaining a $_POST form to a $_GET form. The problem is that if someone manually add key/values in $_POST, they can erase values in $_GET.

There is a logic flaw if the developer do not check previously checked values, such as the previous form $_GET values, and assume that after checking them once, they are "safe" now.

Illustration 🌺

The fist form is using GET. The developer check the parameter n βœ….

$ curl 'URL/step1?n=5'

In the second form, the user submit a value in a POST form. The developer only check the new value square ❌.

$ curl 'URL/step2?n=5' -d 'square=36'

But, if the user used:

$ curl 'URL/step2?n=5' -d 'square=36&n=6'

Then, in $_REQUEST['n'] there would be 6, an uncheck value.

Random Notes

Client-Side Logic

http_post

While uncommon, if the logic is client-side and only the result is sent to the server, we can do whatever we want.

PHP Register Globals

php_register_globals

This feature is deprecated since PHP 5.3.0, and mostly present with PHP < 4.1 or if the development tried to reproduce this behavior. Basically, global variables such as $_GET['param'] are mapped to a variable, e.g. $param in thise case. It means, we can override the value of a variable if we know the variable's name.

We can also directly edit variables URL?_SESSION[xxx]=yyy.

Execution After Redirect (EAR)

http_improper_redirect

It occurs when a user is redirected, but if they don't follow the redirection, then they can still access the page.

In PHP, it would occur if the developper forgot to call exit as any code after the redirecting is still executed.

You can use ncat to read a page without being redirected.

$ nc domain 80
GET /URI HTTP/1.1
Host: domain