Available
Published on

How i got my first Logic Bug and how to find them

Authors

السلام عليكم

Assalamualaikum, everyone! Let me introduce myself first ❤️

I’m Hazem El-Sayed (zoma), a Junior Computer Science student and an Offensive Security enthusiast. Currently, I’m hunting for bugs in Vulnerability Disclosure Programs (VDPs), and sometimes in Bug Bounty Programs (BBPs), like our bug today, alhamdullah. I also enjoy playing Capture the Flag (CTF) on various platforms like HTB, Cyber Talents, and PicoCTF to gain knowledge.

The bug I’m going to discuss hasn’t been fixed yet, so I won’t reveal the website’s name. Let’s just call it freepalestine.com.

Why Look for Logic Bugs?

I’m just beginning my bug hunting journey with real applications. When I started hunting in freepalestine.com, I decided to focus on logical bugs. Other bug hunters usually look for common bugs like XSS, SQL Injection, CSRF, etc., and most have used scanners to find these, so the site is relatively clean of those types of vulnerabilities that other hackers have already discovered.

In our target, the scope includes only two sites. Guess what? There were over 750 accepted reports in the program! Even with all that scrutiny, I found a simple logic bug that no one else had noticed.

Do you know why?!

Because I am a HACKERMAN ❤️ 👽

hackerman

Just kidding, I’m just a noob 😅.

But seriously, you should also focus on logic bugs. Unlike traditional bugs, logic bugs require unique thinking rather than using tools or pre-defined payload lists in Burp Intruder. If you rely solely on this, you’re missing out on discovering more complex and interesting vulnerabilities.

How to Hunt for Logic Bugs: Key Steps

  1. Start Using the Application as a Normal User

    Begin by exploring the application as a regular user. Understand its functionalities and interesting features, and try to find engineering blogs or documentation if available.

  2. Understand the Application’s Purpose and Workflow

    Answer these questions while exploring:

    • What is the purpose of the application?

    • Does it have different user roles (e.g., admin, proUser, normalUser)?

    • How does the application authenticate users and assign privileges?

    • What workflows are involved for features like email change, password change, purchase, etc.?

    Note: Intercept requests while browsing and pay attention to sensitive functionalities. Track each request during these actions to understand how functionalities and access controls are implemented.

  3. Think Outside the Box

    After understanding the application’s behavior, try to think outside the box. What would happen if you skipped a step or took an unexpected action? Could you access an admin endpoint as a normal user? Think creatively to bypass access controls or interfere with application logic.

Example Bug: Workflow and Description

On freepalestine.com (a store like Amazon or Alibaba), users can either buy products as normal accounts or sell them as sellers.

The bug is related to changing the user’s email and mobile number.

Normal Workflow:

  1. User clicks on "change email" in settings at freepalestine.com/user/profile.
  2. Application verifies the user at freepalestine.com/user/verification-pc.
  3. Checks if the password is correct.
  4. If correct, returns to freepalestine.com/profile/email/change.
  5. The user can change their email on the opened page.

Logic Bypass: What if we jumped from step 2 to step 5 directly?

The /verification-pc endpoint has a return parameter that leads back to the email change page:

freepalestine.com/user/verification-pc?return=https%3A%2F%2Ffreepalestine.com%2Fprofile%2Femail%2Fchange

By decoding the return parameter, I accessed freepalestine.com/profile/email/change without entering the password and was able to change the email. This simple bug could enable a session hijacking attack if chained with another exploit.

The mobile change follows the same logic, so I won’t repeat it here.

Impact and Resolution

The security team initially rated it High Severity but then downgraded it to Medium because:

"This behavior alone doesn’t result in a security impact. However, it could elevate the impact if paired with another exploit, like session hijacking."

I agree with this assessment, so I’m not disappointed 😢.

Closing Thoughts

I hope this example helped, even if in a small way. Remember to always think creatively when hunting for bugs.

Just one thing to say: اذكر الله يا أخي المسلم