The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

■

Attacking Application Logic  353

The developers assumed that users would always access the stages in the

intended sequence, because this was the order in which the stages are deliv-

ered to the user by the navigational links and forms presented to their browser.

Hence, any user who completed the order process must have submitted satis-

factory payment details along the way.

The developers’ assumption was flawed for fairly obvious reasons. Users con-

trol every request that they make to the application and so can access any stage

of the ordering process in any sequence. By proceeding directly from stage 2 to

stage 4, an attacker could generate an order that was finalized for delivery but

that had not actually been paid for.