Professional Documents
Culture Documents
Owasp Birmingham May2024 Ecommerce Testing
Owasp Birmingham May2024 Ecommerce Testing
Soroush Dalili
AppSec security testing & code review
Research & training
SecProject director, ex MDSec & NCC Group
LinkedIn: https://www.linkedin.com/in/sdalili/
X (Twitter): https://x.com/irsdl
Blog: https://soroush.me/
Agenda
Price Manipulation
Currency Manipulation
Quantity Manipulation
Shipping Address and Post Method Manipulation
Additional Costs Manipulation
Response Manipulation
Repeating an Input Parameter Multiple Times
Omitting an Input Parameter or its Value
Mass Assignment, Autobinding, or Object Injection
Monitor the Behaviour while Changing Parameters to Detect Logical Flaws
Server-side parameter injection/pollution
TOCTOU & Race Condition Issues
Transferring money
Buying items simultaneously
Changing the order upon payment completion
Changing the order after payment completion
Change the
basket now!
For real life?!
Example 2: TOCTOU with Race Condition
Demo: Using Burp Suite
Authorising multiple
requests?
Study Race Conditions More?
https://portswigger.net/web-security/race-conditions
Think about using multi sessions / multi devices
Review how rate limit has been implemented
Avoiding TOCTOU & Race Conditions
https://www.federalregister.gov/documents/2015/05/01/2015-
10066/airworthiness-directives-the-boeing-company-airplanes
https://play.secdim.com/game/typescript/challenge/integer-overflowts/
https://play.secdim.com/game/go/challenge/integer-overflowgo/
Some more examples:
https://play.secdim.com/browse?cwe=wrap-around-error
Thank you! Any questions?
See https://soroush.me/downloadable/common-security-issues-in-financially-
orientated-web-applications.pdf and its references
https://soroush.me/blog/2019/04/how-to-win-big-and-even-more/
https://portswigger.net/web-security/race-conditions