This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Test for Process Timing (OTG-BUSLOGIC-004)"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
It is possible that attackers can gather information on an application by monitoring the time it takes to complete a task or give a respond. Attackers can also manipulate and break designed business process flows by simply keeping active sessions open and not submitting their transactions in the expected time frame.     
 
It is possible that attackers can gather information on an application by monitoring the time it takes to complete a task or give a respond. Attackers can also manipulate and break designed business process flows by simply keeping active sessions open and not submitting their transactions in the expected time frame.     
 +
 +
Process timing logic vulnerabilities is unique in that these manual misuse cases should be created considering execution and transaction timing that are application specific. 
  
 
== Issue ==
 
== Issue ==
Line 8: Line 10:
  
 
== Example ==
 
== Example ==
 +
 +
 +
Example 1
  
 
Video gambling/slot machines may take longer to process a transaction just prior to a large payout. This would allow astute gamblers to gamble minimum amounts until they see the long process time which would then prompt them to bet the maximum.   
 
Video gambling/slot machines may take longer to process a transaction just prior to a large payout. This would allow astute gamblers to gamble minimum amounts until they see the long process time which would then prompt them to bet the maximum.   
 +
 +
 +
Example 2
 +
 +
Most Arenas or travel agencies have ticketing applications that allow users to purchase tickets and reserve seats. When the user requests the tickets seats are locked or reserved pending payment. What if an attacker keeps reserving seats but not checking out? Will the seats be released, or will no tickets be sold?
 +
 +
 +
Example 3
 +
 +
Suppose a precious metals e-commerce site allows users to make purchases with a price quote based on market price at the time they login. What if an attacker logs in and places an order but does not complete the transaction until later in the day only of the price of the metals goes up?   
  
 
== Testing Method ==
 
== Testing Method ==
  
Identifying this type of issues requires that the tester evaluate and monitor the times that each transaction takes to complete and to see if an attacker would be able to guess the outcome based on the time computations take.
+
Review the project documentation and use exploratory testing looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.  
 +
 
 +
• Develop and execute the mis-use cases     
  
 
== Test Tools ==
 
== Test Tools ==
Line 25: Line 42:
 
4.7.8 Test Session Timeout (OTG-SESS-008)
 
4.7.8 Test Session Timeout (OTG-SESS-008)
  
4.11.1 Test time synchronisation (OTG-LOG-001)  
+
4.11.1 Test time synchronization (OTG-LOG-001)  
  
 
4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)  
 
4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)  

Revision as of 03:32, 17 December 2013

Brief Description

It is possible that attackers can gather information on an application by monitoring the time it takes to complete a task or give a respond. Attackers can also manipulate and break designed business process flows by simply keeping active sessions open and not submitting their transactions in the expected time frame.

Process timing logic vulnerabilities is unique in that these manual misuse cases should be created considering execution and transaction timing that are application specific.

Issue

Processing timing may give/leak information on what is being done in the application/system background processes. If an application allows users to guess what the particulate next outcome will be by processing time variations, users will be able to adjust accordingly and change behavior based on the expectation.

Example

Example 1

Video gambling/slot machines may take longer to process a transaction just prior to a large payout. This would allow astute gamblers to gamble minimum amounts until they see the long process time which would then prompt them to bet the maximum.


Example 2

Most Arenas or travel agencies have ticketing applications that allow users to purchase tickets and reserve seats. When the user requests the tickets seats are locked or reserved pending payment. What if an attacker keeps reserving seats but not checking out? Will the seats be released, or will no tickets be sold?


Example 3

Suppose a precious metals e-commerce site allows users to make purchases with a price quote based on market price at the time they login. What if an attacker logs in and places an order but does not complete the transaction until later in the day only of the price of the metals goes up?

Testing Method

• Review the project documentation and use exploratory testing looking for application/system functionality that may be impacted by time. Such as execution time or actions that help users predict a future outcome or allow one to circumvent any part of the business logic or workflow. For example, not completing transactions in an expected time.

• Develop and execute the mis-use cases

Test Tools

None

Related Test Cases

4.7.2 Testing for Cookies attributes (OTG-SESS-002)

4.7.8 Test Session Timeout (OTG-SESS-008)

4.11.1 Test time synchronization (OTG-LOG-001)

4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)

References

None

Remediation

Develop applications with processing time in mind. If attackers could possibly gain some type of advantage from knowing the different processing times and results add extra steps or processing so that no matter the results they are provided in the same time frame.