Case Files: Outbidding

In my previous post, we witnessed a vendor partnership flaw that was exploited. Let us now situate ourselves in an online auction event.

Online auctions offer buyers and sellers of a wide variety of goods an enormous platform for trade. Just like local auctions, there are sellers and bidders and winners and losers. Winners are expected to pay for what they bid on at the conclusion of the auction.

At online auctions, you will be required to register before you can buy or sell an item(s). Registration is required to track items you bid on or sell, keep up with the bids, determine the winning bids and build a database on seller and bidder feedback.

A normal workflow initiated by a consumer on such a platform would entail

  1. The user creates an account — system verifies if userId is unique and creates an account.
  2. User logs in the account using the account credentials — active session on the portal is established
  3. User view page displaying an item of interest along with all active bidders associated with the item
  4. User participates in an existing auction by placing a bid — system calculates the number of active bidders and add a new bid to the scheduled time
  5. User wins or loses a bid — receives a confirmation to enter credit card information
  6. User is asked to enter credit card information — system validates credit card, debits amount and item is shipped
  7. User logs out — the active session is deleted

One of the several ways to abuse this workflow is depicted below

  1. Hacker creates an account and logs in
  2. Hacker views page displaying item of interest
  3. Hacker enters into an auction by bidding for the lowest price
  4. Hacker collects usernames of bidders displayed on the page
  5. Hacker launches brute force attack on all usernames via the login screen
  6. Hacker wins the bid at the lowest price

What are these conditions that led to this flaw to be exploited?

  1. Bidder usernames were displayed in cleartext on the item page — sensitive information disclosure
  2. A brute force led to account lockout — even legitimate users are not allowed to log in for a period of time
  3. Account lockout terminated any active session
  4. Session termination deletes current user data

Suggested fixes and checks to mitigate this flaw

  1. Apply CAPTCHA instead of rate-limited account lockout
  2. Disable active session termination
  3. Do not display active bidders on the item page — use redaction or pseudonyms

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.

How can such flaws be identified and thereafter avoided?

Is there a human-assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?

Yes, such a system does exist. ShiftLeft’s Ocular is a platform built over the foundational Code Property Graph that is uniquely positioned to deliver a specification model to query for vulnerable conditions, business logic flaws and insider attacks that might exist in your application’s codebase.

To request a free trial and demo, please signup at https://www.shiftleft.io/ocular/


Case Files: Outbidding was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/case-files-outbidding-428f41f4b99d?source=rss—-86a4f941c7da—4