OWASP Top 10 - A04 Insecure Design

What is Insecure Design?

Insecure Design represents missing or ineffective control design flaws. It's about fundamental weaknesses in application architecture and business logic, not implementation bugs. These flaws arise from insufficient threat modeling, secure design patterns, and reference architectures.

🎯 Key Design Flaws

Business Logic Bypass: Circumventing intended business workflows
Missing Security Controls: Absence of authentication, authorization, or validation
Workflow Manipulation: Skipping critical steps in multi-stage processes
Race Conditions: Exploiting timing dependencies in operations
Price Manipulation: Bypassing payment validation in e-commerce
Account Enumeration: Design allowing user discovery attacks

⚠️ Business Impact

Financial losses through pricing manipulation
Unauthorized access to premium features
Regulatory compliance violations
Brand reputation damage
Complete business process compromise
Legal liability from design negligence

🔍 Common Attack Scenarios

# E-commerce Price Manipulation
POST /api/cart/add
{
  "product_id": 123,
  "quantity": 1,
  "price": 0.01  // Client controls price!
}

# Workflow Step Skipping
1. Registration → 2. Email Verification → 3. Account Activation
   ↓ BYPASS ↓
Direct access to step 3 without completing steps 1-2

# Race Condition Exploitation
Thread 1: Check balance ($100)
Thread 2: Check balance ($100)  // Same time
Thread 1: Withdraw $100 (Balance: $0)
Thread 2: Withdraw $100 (Balance: -$100) // Overdraft!

# Business Logic Bypass
Discount Code: "SAVE50" (50% off, one-time use)
Attack: Apply code multiple times in same transaction
Result: 150% discount = Negative total price
                

🛡️ Secure Design Principles

Threat Modeling: Identify and address security threats early
Defense in Depth: Multiple layers of security controls
Fail Securely: Deny access when security controls fail
Least Privilege: Minimal access rights by default
Server-Side Validation: Never trust client-side controls
Secure by Default: Secure configurations out of the box

// Insecure Design (Client-Side Trust)
function calculateTotal() {
    return price * quantity; // Client calculates price!
}

// Secure Design (Server-Side Control)
class OrderService {
    calculateTotal(productId, quantity) {
        const product = this.getProduct(productId);
        const basePrice = product.price; // Server controls price
        const discount = this.validateDiscount(userDiscounts);
        return (basePrice * quantity) - discount;
    }
}

// Insecure Workflow
if (userClickedNext()) {
    proceedToNextStep(); // No validation!
}

// Secure Workflow  
if (currentStepCompleted() && hasRequiredPermissions()) {
    validateStepData();
    proceedToNextStep();
}
                

🎯 Lab Preview

In the following labs, you'll exploit common design flaws:

Lab 1: E-commerce business logic bypass - manipulate pricing, abuse discounts, exploit payment flows
Lab 2: Multi-step workflow manipulation - skip verification steps, bypass controls, race condition exploitation

🛒 Lab 1: E-commerce Business Logic Exploitation

Scenario: You're testing an online electronics store with various business logic flaws. Your mission: exploit pricing vulnerabilities, discount abuse, and payment bypass mechanisms to get expensive items for free or minimal cost.

Exploits Attempted: 0 | Money Saved: $0 | Exploits Found: 0/4

🛍️ Product Catalog

Premium Laptop

$2,999.99

VIP50: 50% OFF (One-time use)

High-end gaming laptop with RTX 4090

Quantity:

Custom Price (for testing):

Smart Phone

$899.99

STUDENT20: 20% OFF

Latest flagship smartphone

Quantity:

🛒 Shopping Cart

Your cart is empty

Discount Code:

💳 Payment Processing

Payment Method:

Payment Amount (Auto-calculated):

Gift Card Balance: Your gift card balance: $50.00

🔍 Business Logic Exploits

💡 Exploitation Opportunities:

Price Manipulation: Can you control the product price?

Discount Stacking: Apply multiple discount codes?

Negative Quantities: What happens with negative numbers?

Payment Bypass: Can you manipulate payment amounts?

⚠️ Discovered Vulnerabilities:

No vulnerabilities discovered yet...

Mission Objectives:

🎯 Get the $2,999 laptop for under $100

🎯 Exploit discount code vulnerabilities

🎯 Manipulate payment processing logic

🎯 Discover at least 4 different business logic flaws

🚨 E-commerce Logic Vulnerabilities

This application demonstrates several design flaws:

Client-Side Price Control: Product prices controlled by frontend
Insufficient Discount Validation: No limits on discount application
Payment Amount Manipulation: User can modify payment amounts
Missing Business Rules: No validation of quantity constraints

🔄 Lab 2: Multi-Step Workflow Bypass Challenge

Scenario: You're testing a premium service registration system with a complex multi-step verification process. Your goal: bypass the verification steps and gain unauthorized access to premium features.

Bypass Attempts: 0 | Current Step: 1/5 | Access Level: None

📝 Registration Workflow

Step 1: Basic Registration

Username:

Email:

Password:

Step 2: Email Verification

Check your email for verification code

Verification Code:

Step 3: Identity Verification

Phone Number:

SMS Code:

Step 4: Payment Setup

Credit Card:

Billing Address:

Step 5: Premium Activation

Activate your premium account

🔧 Workflow Manipulation Tools

Force Step Navigation:

Session Manipulation:

Race Condition Test:

💡 Bypass Techniques:

Step Skipping: Try to jump to later steps

Direct URL Access: Access premium features directly

Session Manipulation: Modify your user session

Race Conditions: Send multiple requests simultaneously

Workflow Status: Registration process not started

Mission: Gain premium access without completing all verification steps

Success Criteria: Achieve premium access level through design flaw exploitation

🚨 Workflow Design Vulnerabilities

This workflow demonstrates common design flaws:

Missing Step Validation: No server-side verification of step completion
Client-Side Flow Control: Frontend controls workflow progression
Insufficient State Management: User state not properly tracked
Direct Access Vulnerability: Premium features accessible without authorization

OWASP Top 10 Security Lab

Insecure Design