• ::  Contact a Representative  ::  Information Center   ::  Contact WhiteHat  ::

• Home
• Sentinel Services
• Education Services
• Events & Webinars
• In the News
• Resources
• Real-World Solutions
•    Best Practices
•    Business Logic Flaws
•    Success Stories
• Partners
• Support
• About WhiteHat

Business Logic Flaws :: Winning an Online Auction ::

Class: Abuse of Functionality

An on-line auction website prevents attackers from guessing the passwords of users by temporarily locking accounts that receive too many failed attempts (5 tries) in a given amount of time. Once an account is locked, the attacker (or the user) must wait for a timeout to expire (1 hr) before attempting to login again. Account locking is one of several techniques used to slow down brute force attacks.

Once logged-in, users are able to browse items being auctioned and view who bid on what. To place a bid, a user is asked for their password to verify their intent, which prevent unintended bids and also stops Cross-Site Request Forgery attacks. The bidding process is tied into the login security system to deny password guessing in this area, as well.

Can you spot the security problem?

If a malicious user wanted to place competing bidders at a disadvantage and improve their odds of winning an auction, they could, easily. To do so, they’d start by bidding on the item early and at a low price. When/if someone placed a higher bid, the malicious user would respond not only by bidding slightly higher, but also by running a sustained login brute force attack against that user’s account. The result: The user would be unable to bid on the item because their account would be purposely locked by the attacker, since the bidding system is tied to the login security system. The malicious user would continue this attack for anyone who attempted to bid higher until the auction ends. The malicious user is not guaranteed to win, but locking out competitive bidders certainly improves the odds, while retaining their ability to drop out of the running at any time.

Solution

1. Do not display user names on the website. This not only increases user privacy, but also prevents an attacker from knowing which bidder they need/want to lockout.
   
   
2. As an alternative to an account lockout, a CAPTCHA system may be employed if an account has received too many failed login attempts. This method has the benefit of preventing brute force attacks, without the potential side effect of locking out legitimate users who are making bids.
   
   
3. Online auctions may allow sellers to specify a minimum bid price before they must sell the item. So, if an attacker used the method described to get an unreasonable price, they are not guaranteed to get the item.

• 2009 © Copyright WhiteHat Security, Inc.  ::  408.343.8300   ::   3003 Bunker Hill Lane, Santa Clara, CA 95054   ::   Contact the Webmaster   ::