Abuse of Functionality

Abuse of Functionality

Overview of the attack

Abuse of functionality attacks are those which exploit the normal functioning of the site by using it in unanticipated ways. The effects of the attacks can vary enormously due to their application-specific nature. Estimates suggest at least 1 out of 7 sites are vulnerable to abuse of functionality attacks.

What makes a site vulnerable to the attack?

Unlike most of website security attacks, abuse of functionality attacks do not exploit a single type of vulnerability. In fact they do not exploit vulnerabilities in the traditional sense at all. Instead abuse of functionality attacks involve using the ordinary, correct functionality of the website in malicious ways. As a result there is no specific error which makes a site vulnerable to the attacks. Rather, a failure to fully consider the implications of all possible uses of the available functionality is often to blame. Blame may also fall on a poor implementation of the requirements, where the functionality implemented works somewhat, but not exactly, in the way actually required.

Impact of the attack

Abuse of functionality attacks are highly application-specific. Their impact depends intimately on the nature of the application they exploit. By abusing some functionality of the site, the attacker may be able to achieve results equivalent to that achieved by some other, forbidden functionality. This has the effect of elevating the attacker’s access rights. Alternatively, the attacker may be able to achieve some other functionality which the site was never intended to provide. The unexpected provision of such functionality could put the site in violation of laws or the owner’s standards. Or it could result in a degradation of service to other users.

Social Networking sites provide examples of abuse of functionality attacks. One such attack is the so called Evil Twin attack where an attacker creates a user profile under your name and then adds your friends to his profile. Believing that the attacker is actually you, your friends accept the requests to be added as friends. Now the attacker can see your friends' information and continue to impersonate you.

Preventing the attack

There is no specific technique which prevents all abuse of functionality attacks. In general, it may not be possible to determine all ways in which a complex site’s functionality could be abused. However, the more effort spent considering the ways in which it could be the more likely possible attacks will be caught. Likewise, the more clearly the site requirements are articulated, the more likely it is that any function which deviates from the requirements will be identified.

The attack in the real world

In 2007, CNBC’s stock picking contest offered a million dollar prize for trading with virtual shares. The contest website was vulnerable to an abuse of functionality attack. Users would be given the price for a particular stock on request. This price would be given regardless of when the user actually made the purchase. By waiting until the stock price had moved significantly, the user could decide whether it was worth buying the stock at the original price. Note that in this case, the functionality being abused was functionality never intended to be provided to the user. Yahoo Games chess ladder was vulnerable to an abuse of functionality attack.