Here, we will look at some examples of application logic vulnerabilities.
Application logic vulnerabilities in the wild
Bypassing the Shopify admin authentication
On September 28th, 2017, a bug bounty hunter called uzsunny reported a vulnerability on Shopify.
They got admin access by creating two different accounts that share the same email address. The application had the option to define profiles for each user. In this case, Shopify had a profiled called collaborator, which had more privileges than normal user accounts. To get these privileges, the user needed to request the collaborator profile. When the application collaborated with the account, the other account, which was different, automatically got the same...