Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application.
In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does. Some high level examples of business logic are customer purchase orders, banking queries, wire transfers or online auctions. Business logic is also defined in more specific rules such as which users are allowed to see what and how much users are charged for various items.
Currently, a high percentage of web application security tests can be automated and are automated by high quality application scanning software products. Business logic, however, will always need to be tested manually because it requires an understanding of the logic of the application.
Business logic flaws defy easy categorization and can be more art than science to discover. If undiscovered, they can result in serious compromise of internal and external applications, even in applications with safeguards such as authentication and authorization controls.
For example, in the case of an online store application where customers add items to their shopping cart, the application sends the customers to a secure payment gateway where they submit their order. To complete the order, customers are required to make a credit card payment. In this shopping cart application, business logic errors may make it possible for attackers to bypass the authentication processes to directly log into the shopping cart application and avoid paying for “purchased” items. This type of business logic flaw is among the 10 most common types.
The common most business logic flaws include:
- Authentication flags and privilege escalations
- Critical parameter manipulation and access to unauthorized information/content
- Developer’s cookie tampering and business process/logic bypass
- LDAP parameter identification and critical infrastructure access
- Business constraint exploitation
- Business flow bypass
- Identity or profile extraction
- File or unauthorized URL access & business information extraction
- Denial of Services (DoS) with business logic.
“The concept of business logic vulnerabilities is not new, what is new and concerning is that these vulnerabilities are common, dangerous and are too often untested. Security experts need to know that these must be tested manually and must not be overlooked,” says Dan Kuykendall, Co-CEO and CTO of NT OBJECTives. “It is imperative to complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. For this reason, we offer our SaaS customers the option of adding business logic testing to their automated scans. Simply put, humans are better at identifying critical behavioral patterns.”