Channels ▼


NT OBJECTives: Top 10 Business Logic Attack Vectors

NT OBJECTives has detailed what it defines as the top 10 "business logic attack vectors" for penetration testers, which the company has supplied with specific instructions, real-world examples, and code-snippets for testing the most common business logic vulnerabilities.

More Insights

White Papers

More >>


More >>


More >>

NOTE: Application business logic flaws are said to be unique to each custom application, potentially very damaging, and typically very difficult to test. Attackers exploit business logic by using "deductive reasoning" to trick and ultimately exploit the application. In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does.

"The concept of business logic vulnerabilities is not new; what is new and concerning is that these vulnerabilities are common, dangerous, and are too often untested. Security experts need to know that these must be tested manually and must not be overlooked," says Dan Kuykendall, Co-CEO and CTO of NT OBJECTives.

"It is imperative to the complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. For this reason, we offer our SaaS customers the option of adding business logic testing to their automated scans. Simply put, humans are better at identifying critical behavioral patterns," said Kuykendall.

Although a high percentage of web application security tests can be (and are) automated by high-quality application scanning software products, NT OBJECTives points out that business logic will always need to be tested manually because it requires an understanding of the logic of the application.

If left undiscovered, these flaws can result in serious compromise, even where safeguards such as authentication and authorization controls exist.

The most common business logic flaws include:

  1. Authentication flags and privilege escalations
  2. Critical parameter manipulation and access to unauthorized information/content
  3. Developer's cookie tampering and business process/logic bypass
  4. LDAP parameter identification and critical infrastructure access
  5. Business constraint exploitation
  6. Business flow bypass
  7. Exploiting clients-side business routines embedded in JavaScript, Flash, or Silverlight
  8. Identity or profile extraction
  9. File or unauthorized URL access and business information extraction
  10. Denial of Services (DoS) with business logic

For example, in the case of an online store application where customers add items to their shopping cart, the application sends the customers to a secure payment gateway where they submit their order. To complete the order, customers are required to make a credit-card payment. In this shopping cart application, business logic errors may make it possible for attackers to bypass the authentication processes to directly log into the shopping cart application and avoid paying for "purchased" items.

Related Reading

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.