Hunting for logic bugs (Tonimir Kisasondi)
| February 27th, 2026Level: Tehnical
Abstract:
There are a number of well known classes of vulnerabilities that an enterprising hacker or penetration tester wants to uncover in an application. Some of those issues are harder to detect or exploit because of well implemented browser security mechanisms or because of various improvements in web application frameworks that hide the potentially dangerous methods from the developers. In addition to the points outlined above, the collective awareness about common security issues, vulnerabilities and potential weaknesses has been raised, making discovery of potential issues more difficult, especially in hard, well audited targets.
In such cases, instead of subverting the code flow, an attacker might try to subvert the applications logic or even better manipulate the business process that the application supports. This class of vulnerabilities is commonly referred to as business logic vulnerabilities, and when discovered in the wild and reported, all specific and different nuanced cases of vulnerabilities are usually thrown into the bucket labeled “business logic” vulnerabilities. But when we review such issues, we can see that each case is unique.
This talk will present the result of a research study where the author manually reviewed about 300 publicly disclosed vulnerability reports and tried to classify and cluster discovered vulnerabilities into a few categories that can be used to detect business logic issues in applications. So let’s take a ride through some real life cases and examples on how to manipulate calculation, assumptions, processes, branching, logical and time based TOCTOU and other fun cases on how to break an application.
Bio:
Tonimir Kisasondi is a co-founder at Apatura, a boutique security consultancy from Varazdin, Croatia. His professional and research area of interest is application security, cryptography and embedded security.