Member-only story
A Real-World Web Application Penetration Testing Story | Small Mistakes Leads to Major Logic Flaws
Greetings, dear Medium community ! Nowadays, participating in real-world engagements is highly available for me due to my exam period. In one of our recent attempts, I discovered two logic flaw vulnerabilities that significantly affected the companies’ running business. I did not even think that whether they store confidential data on databases or using API to make queries to retrieve regarded information for clients. Today I would like to talk about my two recent experience on logic flaw vulnerability resulted in sending sms to all the people having Turkish phone numbers. Although SMS utility has rate-limitations it was not so hard to bypass it’s restrictions with the help of SMS Gateways or directly abusing it to send everbody sms through browser. From this part understanding the application whether it is processing limitations on server-side or not is highly important to decide on our methodology. The most interesting part is both applications did not check the user’s identity properly via input fields.
Categorizing each scenario will be suitable in order to make sustainable understanding process in your mind.
Content of Concepts based on Non-Validated Input Fields
- Identity Number and Phone Number
- Identity Number, Phone Number, Birth of Date
