Business logic flaws

Home > Cyber Security Solutions > Various-Security-Offerings > Penetration Test > Specialized Pen Testing > Web Portals > Business logic flaws

"Business logic is the intended behavior of the application”, "It’s the functionality that governs the core of what the application does, for example, which users are allowed to see what, how much users are charged for various items, etc. Business logic attacks are things you can do to exploit the logic and cheat the application…(they) are hard to test for because they require both an understanding of the application and of security. In many cases, QA teams know the business logic, but they aren’t security experts and haven’t been trained on the clever attack techniques."

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is that the typical vulnerability scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws.
Attackers don't need an exploit to abuse your Web application. All it takes is for them to take advantage of a business logic flaw -- a design weakness -- and they can conduct e-commerce or other types of fraud. A business logic flaw, for example, would entail using a simple script to manipulate the results of an online poll, or a shopping cart app with logic errors that allow attackers to bypass authentication and not actually pay for items.

Among the most popular business logic flaw attacks are e-coupon abuse, e-wallet weaknesses, app store fraud, and bad guys testing stolen credit card numbers. Among the organizations that were hit with business logic attacks, more than one-fourth lost more than 4 percent in revenue due to the attack, and two-thirds lost between 1 and 4 percent in revenue. It's not easy to detect this type of abuse, either: Nearly three-fourths of the organizations say it's hard to tell a real customer from a poser on their websites.

We at Valency Networks, India, provide cutting edge vulnerability assessment tests for web portals and websites to capture these types of attacks and provide consultancy to stop those.