What is Business Logic Vulnerability?
How do you translate an abstract business idea in machine language? How can you process overlapping theories without making the machines bleed?
Actually, you cannot. That’s the problem with business logic vulnerability.
Machines, unlike human brains, work on simplified binary logic. They respond to conditions that must lead to a simple ‘YES’ or ‘NO’, and absolutely nothing between it.
However, that is not how people running businesses think. They make decisions. Often quickly, frequently, and making them out most of the available information.
While security is certainly on their mind, there is not enough time to study implications in detail. This is exactly what leads to business logic or domain logic flaw.
What is Business Logic Vulnerability?
A business logic flaw is an application vulnerability, which arises from circumstantial security weakness. As a one-of-a-kind problem, it does not have a universal solution and cannot be detected by automated web application scanning either. Here is a simple way to understand this.
“Only those who understand your business will be able to detect your business logic flaws.”
In theory, business logic vulnerability might seem a very vague, abstract idea. However, it poses a serious threat to security. We will help you understand with the following examples.
Case Study 1- Stock Broking Firm
A renowned stockbroking firm wanted its customers to trade online. Their dummy online trading platform focused on increasing participation and making transactions faster in a two-step process.
Step 1: Users could pick stocks of their choice, number of shares, and click on ‘BUY’. The application then calculated the total value of the transaction and asked users to ‘PLACE ORDER’.
Step 2: After step 1, users can choose to either proceed with the order or cancel the transaction.
Million Dollar Problem
The web application scanning session showed that the application was clean of any OWASP or WASC vulnerability. But problems existed.
An attacker could actually make informed decisions and make huge profits without administrators knowing about it.
The attacker had to select stock at the current price and freeze the process at the confirmation dialog box. If the next day, prices for that particular stock shoot up, he could confirm the frozen trade and get the stocks at an older value.
Case Study 2- Online Auction House
An online auction house valued website security above everything else. The owners understood that many hackers would try to use brute force to forcibly getting into competitor accounts.
Hence, they started using limited-time account suspension for three wrong logs in attempts.
In simpler words, the associated account ID would be locked if the wrong password were used three consecutive times.
Imagine that there are only two users who want item X on auction. They both are placing bids, topping each other, and now just one hour remains for the online auction.
One of the users knows about the account suspension policy, so he uses the account ID of the other bidder. Enters the wrong password three times to lock his account. This way, only one bidder remains in the auction.
Case Study 3- E-commerce Website
An e-commerce website allowed users to view the product and its price, select that product, purchase a summary, and then proceed to the checkout. The process was designed to be executed in this particular order only. And the administrator did not set rules for something different.
An attacker discovered that he could go back to the shopping cart after injecting custom prices in the URL. The website’s server executed it and allowed the attacker to pay for the revised pricing.
The Logic behind Logical Flaws
In days when hacking fetches much greater rewards, crooks are always looking for ways to get around your database.
When complex business ideas overlap each other, the chances of discovering business logic vulnerability increase far beyond what we have explained in the examples above.
In fact, in recent times, more and more hackers are looking for ways that go undetected by automated scanning, the ways that exploit business logic paradoxes.
Security analysts believe that web applications were and are being exploited with business logic vulnerabilities. Unfortunately, most companies do not even know about them unless there is monetary leakage. The following are some of the rules that need assessment.
- Money-Related Application Logics- These logics command online monetary transactions, deals, discounts, refunds, shipping fees, and so on.
- Time-Related Application Logics- These logics define how web applications handle sessions and timeouts for users.
- Process-Related Application Logics- It is also possible to exploit internal-facing applications for human resources management, procurement, warehousing, and other processes.
Dealing with Business Logical Vulnerability with Indusface
How do you patch business logic vulnerabilities before the hackers could find them? You find them first.
Business logic vulnerability is essentially a human task that requires expertise, trained to identify flaws, much like hackers do.
Managed web application scanning is a better way to detect all kinds of vulnerabilities within the application. While automated scanning looks for top OWASP threats, security experts will understand your business functions and their subsequent effects on web applications.
Once detected, you can either patch the vulnerability in each application or shield them with a managed web application firewall.
A managed web application firewall’s value goes beyond virtual patching and time to fix the benefits of patching vulnerabilities. The main benefit is
a) Providing visibility of an attempted attack
b) Providing more insights about attackers, which can help in taking more proactive detect and protect steps to track and block them.
Eventually, it helps in improving the Total Application Security postures consistently and not as a point in time improvement.