In my previous post, we witnessed a vendor partnership flaw that was exploited. Let us now situate ourselves in an online auction event.

Online auctions offer buyers and sellers of a wide variety of goods an enormous platform for trade. Just like local auctions, there are sellers and bidders and winners and losers. Winners are expected to pay for what they bid on at the conclusion of the auction.

At online auctions, you will be required to register before you can buy or sell an item(s). Registration is required to track items you bid on or sell, keep up with the bids, determine the winning bids and build a database on seller and bidder feedback.

  1. The user creates an account — system verifies if userId is unique and creates an account.
  2. User logs in the account using the account credentials — active session on the portal is established
  3. User view page displaying an item of interest along with all active bidders associated with the item
  4. User participates in an existing auction by placing a bid — system calculates the number of active bidders and add a new bid to the scheduled time
  5. User wins or loses a bid — receives a confirmation to enter credit card information
  6. User is asked to enter credit card information — system validates credit card, debits amount and item is shipped
  7. User logs out — the active session is deleted
  1. Hacker creates an account and logs in
  2. Hacker views page displaying item of interest
  3. Hacker enters into an auction by bidding for the lowest price
  4. Hacker collects usernames of bidders displayed on the page
  5. Hacker launches brute force attack on all usernames via the login screen
  6. Hacker wins the bid at the lowest price
  1. Bidder usernames were displayed in cleartext on the item page — sensitive information disclosure
  2. A brute force led to account lockout — even legitimate users are not allowed to log in for a period of time
  3. Account lockout terminated any active session
  4. Session termination deletes current user data
  1. Apply CAPTCHA instead of rate-limited account lockout
  2. Disable active session termination
  3. Do not display active bidders on the item page — use redaction or pseudonyms

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.

How can such flaws be identified and thereafter avoided?

Is there a human-assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?

Yes, such a system does exist. ShiftLeft’s Ocular is a platform built over the foundational Code Property Graph that is uniquely positioned to deliver a specification model to query for vulnerable conditions, business logic flaws and insider attacks that might exist in your application’s codebase.

To request a free trial and demo, please signup at

Engineer, InfoSec tinkerer, Seed Investor, Founder/CTO of ShiftLeft Inc., (Opinions, my own)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store