In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does. Some high level examples of business logic are customer purchase orders, banking queries, wire transfers or online auctions. Business logic is also defined in more specific rules such as which users are allowed to see what and how much users are charged for various items.
Currently, a high percentage of web application security tests can be automated and are automated by high quality application scanning software products. Business logic, however, will always need to be tested manually because it requires an understanding of the logic of the application.
Business logic flaws defy easy categorization and can be more art than science to discover. If undiscovered, they can result in serious compromise of internal and external applications, even in applications with safeguards such as authentication and authorization controls.
For example, in the case of an online store application where customers add items to their shopping cart, the application sends the customers to a secure payment gateway where they submit their order. To complete the order, customers are required to make a credit card payment. In this shopping cart application, business logic errors may make it possible for attackers to bypass the authentication processes to directly log into the shopping cart application and avoid paying for “purchased” items. This type of business logic flaw is among the 10 most common types.
The common most business logic flaws include:
- Authentication flags and privilege escalations
- Critical parameter manipulation and access to unauthorized information/content
- Developer’s cookie tampering and business process/logic bypass
- LDAP parameter identification and critical infrastructure access
- Business constraint exploitation
- Business flow bypass
- Identity or profile extraction
- File or unauthorized URL access & business information extraction
- Denial of Services (DoS) with business logic.