NT OBJECTives has detailed what it defines as the top 10 "business logic attack vectors" for penetration testers, which the company has supplied with specific instructions, real-world examples, and code-snippets for testing the most common business logic vulnerabilities.
White PapersMore >>
NOTE: Application business logic flaws are said to be unique to each custom application, potentially very damaging, and typically very difficult to test. Attackers exploit business logic by using "deductive reasoning" to trick and ultimately exploit the application. In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does.
"The concept of business logic vulnerabilities is not new; what is new and concerning is that these vulnerabilities are common, dangerous, and are too often untested. Security experts need to know that these must be tested manually and must not be overlooked," says Dan Kuykendall, Co-CEO and CTO of NT OBJECTives.
"It is imperative to the complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. For this reason, we offer our SaaS customers the option of adding business logic testing to their automated scans. Simply put, humans are better at identifying critical behavioral patterns," said Kuykendall.
Although a high percentage of web application security tests can be (and are) automated by high-quality application scanning software products, NT OBJECTives points out that business logic will always need to be tested manually because it requires an understanding of the logic of the application.
If left undiscovered, these flaws can result in serious compromise, even where safeguards such as authentication and authorization controls exist.
The most common business logic flaws include:
- Authentication flags and privilege escalations
- Critical parameter manipulation and access to unauthorized information/content
- Developer's cookie tampering and business process/logic bypass
- LDAP parameter identification and critical infrastructure access
- Business constraint exploitation
- Business flow bypass
- Identity or profile extraction
- File or unauthorized URL access and business information extraction
- Denial of Services (DoS) with business logic
For example, in the case of an online store application where customers add items to their shopping cart, the application sends the customers to a secure payment gateway where they submit their order. To complete the order, customers are required to make a credit-card payment. In this shopping cart application, business logic errors may make it possible for attackers to bypass the authentication processes to directly log into the shopping cart application and avoid paying for "purchased" items.