menu
close_24px

BLOG

Gaming Application Penetration Testing - My Favorite 9 Business Logical Flaws

The majority of gaming applications are vulnerable to business logical flaws. Here we break down the top 9 business logical errors in gaming apps.
  • Posted on: Feb 8, 2022
  • By Vaishali Nagori
  • Read time 4 Mins Read
  • Last updated on: May 8, 2024

Application Scenario

The target application is an online gaming application that offers a variety of games to play. You can earn money by playing a variety of games. This application organizes various battles. As a result, two users can participate in the games and win money. This application also gives users coins for playing games, which they can later exchange for buying profile pictures and other items & also users can withdraw the earned money later. 

Let’s Discuss Different Scenarios.

Scenario 1:  To Earn Unlimited Coins Without Playing The Game

Description of Feature

The application has a feature to play the game & earn coins. For example, if I play & complete the game then I will get 10 points for it. Later I can convert these points to buy profile pictures, products, etc. 

Attack Scenario

An attacker has to find out the HTTP request through which the application is giving points. The attacker will run the intruder on that request and points will get added to the attacker’s account. So an attacker can earn unlimited coins without playing the game again & again.

Steps To Perform Attack

Note* Identifying the HTTP request which updates the gaming score is very important

1) Play & complete the game and capture the HTTP request which updates the gaming score.            Steps To Perform Attack

2) Replay the request multiple times or run the intruder via the following steps.
Send the request to the intruder => Select the Attack Type as Snipper => Go to the  Payloads tab and select the Null Payload and in payload option, in the generate parameter give any value for example 100.
3) You will earn unlimited coins without playing the game again.    Earn Unlimited Coins

 

Scenario 2: To Increase Score & Win the Match & Earn Money

Description of Feature

The application has a module to play the match with any other user and if you score more, you win the match and you will receive the real winning amount. 

Attack Scenario

An attacker can win the match by increasing the score and can earn that winning amount.

Steps To Perform Attack

Note* Identifying the HTTP request which updates the gaming score is very important

1) Log in to the application
2) Play & complete the game.
3) Capture the HTTP request which updates the score of your game and replaces the game_score value to a higher score and forward the request. and the score gets updated and you will win the match. 

Scenario 2: To Increase Score & Win the Match & Earn Money

 

Read more: Everything You Need to Know about iOS Jailbreak Detection Bypass

Scenario 3: Information Disclosure

Description of Feature

The gaming application has a leaderboard through which a user can see who is in the top 10. On the leaderboard, the application only shows the NAME of the top 10 players on the GUI/frontend of the application. 

Attack Scenario

An attacker will capture the leaderboard HTTP request and in the response, it will disclose the leaderboard user’s password, personal mobile number, email address, address, referral code, coins, money, etc. This information is not displayed on the GUI of the application. This allows an attacker to view the user's personal information. 

Steps To Perform Attack

Capture the leaderboard HTTP request and response will disclose the user’s personal information. 

Scenario 3: Information Disclosure

 

Scenario 4: To Withdrawal Unlimited Money

Description of Feature

The application has a module to withdraw money that the user has earned by playing the games and all. 

Attack Scenario

So, when an attacker wants to withdraw his earned money, he will give a negative amount (-500000). Instead of removing/withdrawing that money, it will be credited to the attacker’s gaming account, and then the attacker will be able to withdraw it later to her bank account.

Steps To Perform Attack

1) Go to withdraw money module
2) Enter some amount and capture that HTTP request in the burp suite. 
3) In the amount parameter, give a negative value (-50000).Scenario 4: To Withdrawal Unlimited Money
4) Forward the request and this amount will be added to your gaming account. 
5) withdraw that money to your bank account.

Scenario 5: Using Coupon Code For Non-Applicable Purchases 

Description of Feature

The application has a module to add money. A user can add money and use some coupon for a certain amount, on which the application gives cashback.

Attack Scenario

Let’s take an example, the application is giving 10% cashback for adding 500 rs into your gaming application. So as an attacker what we can do is here, she will use the same coupon code for adding less than 500 amounts and get the 10% discount. 

Steps To Perform Attack

1) Log in to the application and go to add money module.
2) Add min 500 rs money and get a 30% discount.
3) Enter 50 rs and apply the given coupon code and capture the given HTTP request.Scenario 5: Using Coupon Code For Non-Applicable Purchases 

4) Replace the amount value to 10 and forward the request and add money.

5) Go to the profile module and observe that you get 3 rupees bonus cash.

Read more: 8 Different Ways to Bypass SSL Pinning in iOS application

Scenario 6: To Use Profile Images Without Purchasing 

Description of Feature

The gaming application has a feature to buy the profile pictures of your choice of different characters. 

Attack Scenario

An attacker can use these profile images without buying those images. 

Steps To Perform Attack

1) Log in to the application and go to the edit profile module.
2) Click on any image for buying and capture the HTTP Request.
3) Replace the isPurchased value from false to true and forward the request and the attacker can use the images without buying.Scenario 6: To Use Profile Images Without Purchasing 

 

Scenario 7: Buy One Profile Picture and Use any Other Profile Image

Description of Feature

The gaming application has a feature to buy profile pictures with coins & money. 

Attack Scenario

An attacker can use these profile images without buying those images.

Steps To Perform Attack

1) Log in to the application and go to the edit profile module.
2) Click on any image which you have bought already and capture that HTTP Request.
3) Replace the ham_id value with any other avatar image ham_id value and forward the request and the attacker can use the images without buying.Scenario 7: Buy One Profile Picture and Use any Other Profile Image

 

Scenario 8: Open Google Cloud Bucket

Description of Feature

The application is using a google cloud bucket for storing the user’s data like KYC documents and all. 

Attack Scenario

This google bucket has read-only public access, which allows an attacker to view all the sensitive files of the users. 

Steps To Perform Attack

Run the below command and it will list all the files.

gsutil ls gs://bucket_name/

Open Google Cloud Bucket

 

Scenario 9: Withdraw The Earn Money Without Verifying Your Account with KYC

Description of Feature

As we know KYC plays a very important role, when a user earns money from the online application. So In my application for withdrawing money etc, users must have to verify their account with KYC.  

Attack Scenario

An attacker can withdraw the money etc. without verifying his account KYC due to improper server-side validation. 

Steps To Perform Attack

1) Identify the module / HTTP request for which the user account must be KYC verified (In our scenario for withdrawing money the user account must be KYC verified).
2) Capture that request (withdrawing money request) and replay that HTTP request with a Non-KYC verified user authentication token.

Conclusion 

Gaming applications are the most vulnerable to security breaches since they store a lot of money and the personal information of users. The majority of gaming applications are vulnerable to business logical flaws. That's why we've gone over a variety of logical errors.

Gamers are emotionally attached to gaming applications because they put in a lot of effort to reach the top, and if a hacker can reach the top without playing the game, it is a significant loss for the company since users would lose faith in it. As a result, safeguarding the gaming application is critical.

Appknox - Gaming Case Study