Business Logic FlawsRequest Pricing

Business Logic Flaws

"Business logic is the intended behavior of the application�, "It�s the functionality that governs the core of what the application does, for example, which users are allowed to see what, how much users are charged for various items, etc.

Specialized Pen Testing

1

Cross site scripting (CSS) vulnerabilities

2

SQL injection faults

3

Authentication vulnerabilities

Cross site scripting (CSS) vulnerabilities

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. Read More

SQL injection faults

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. Read More

Authentication vulnerabilities

Most of the websites needing user authentications are vulnerable to authentication problems. There are several available authentication mechanisms to choose from, if not done correctly, can expose vulnerabilities that attackers can exploit to gain access to your system. Read More

Business logic attacks

are things you can do to exploit the logic and cheat the application.(they) are hard to test for because they require both an understanding of the application and of security. In many cases, QA teams know the business logic, but they aren't security experts and haven't been trained on the clever attack techniques.

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is that the typical vulnerability scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws.

Attackers don't need an exploit to abuse your Web application. All it takes is for them to take advantage of a business logic flaw -- a design weakness -- and they can conduct e-commerce or other types of fraud. A business logic flaw, for example, would entail using a simple script to manipulate the results of an online poll, or a shopping cart app with logic errors that allow attackers to bypass authentication and not actually pay for items.

Among the most popular business logic flaw attacks are e-coupon abuse, e-wallet weaknesses, app store fraud, and bad guys testing stolen credit card numbers. Among the organizations that were hit with business logic attacks, more than one-fourth lost more than 4 percent in revenue due to the attack, and two-thirds lost between 1 and 4 percent in revenue. It's not easy to detect this type of abuse, either: Nearly three-fourths of the organizations say it's hard to tell a real customer from a poser on their websites.

We at Valency Networks, India, provide cutting edge vulnerability assessment tests for web portals and websites to capture these types of attacks and provide consultancy to stop those.