Business Logic Data Validation

Use Burp Suite‘s Repeater module to submit unconventional values, like input in ranges that legitimate users are unlikely to ever enter. This includes exceptionally high or exceptionally low numeric inputs and abnormally long strings for text-based fields. You can even try unexpected data types. By observing the application’s response, you should try and answer the following questions:

  • Are there any limits that are imposed on the data?
  • What happens when you reach those limits?
  • Is any transformation or normalization being performed on your input?

Mandatory Inputs

Try removing each parameter in turn and observe what effect this has on the response. You should make sure to:

  • Only remove one parameter at a time to ensure all relevant code paths are reached.
  • Try deleting the name of the parameter as well as the value. The server will typically handle both cases differently.
  • Follow multi-stage processes through to completion. Sometimes tampering with a parameter in one step will have an effect on another step further along in the workflow.

This applies to both URL and POST parameters, and check the cookies too. This simple process can reveal some bizarre application behavior that may be exploitable.

Workflow

Try skipping steps in the normal workflow. Observe the normal flow of requests, and then try executing actions by skipping some requests. For example, skip steps in the checkout of an online store to buy without having the funds.