How do you translate an abstract business idea in machine language? How can you process overlapping theories without making the machines bleed? Actually, you cannot. That’s the problem with business logic vulnerability.
Machines, unlike human brains, work on simplified binary logic. They respond to conditions that must lead to a simple ‘YES’ or ‘NO’, and absolutely nothing between it.
However, that is not how people running businesses think. They make decisions. Often quickly, frequently, and making them out most of the available information. While security is certainly on their mind, there is not enough time to study implications in detail. This is exactly what leads to business logic or domain logic flaw.
A business logic flaw is an application vulnerability, which arises by circumstantial security weakness. As a one-of-a-kind problem, it does not have a universal solution and cannot be detected by automated web application scanning either. Here is a simple way to understand this.
“Only those who understand your business will be able to detect your business logic flaws.”
In theory, business logic vulnerability might seem a very vague, abstract idea; it poses a serious threat to security, which we will help you understand with the following examples.
A renowned stockbroking firm wanted its customers to trade online. Their dummy online trading platform focused on increasing participation and making transactions faster in a two-step process.
Step 1: Users could pick stocks of their choice, number of shares, and click on ‘BUY’. The application then calculated the total value of the transaction and asked users to ‘PLACE ORDER’.
Step 2: After Step 1, users can choose to either proceed with the order or cancel the transaction.
Million Dollar Problem
The web application scanning session showed that the application was clean of any OWASP or WASC vulnerability, but problems existed. An attacker could actually make informed decisions and make huge profits without administrators knowing about it. The attacker had to select stock at the current price and freeze the process at the confirmation dialog box. If the next day, prices for that particular stock shoot up, he could confirm the frozen trade and get the stocks at older value.
An online auction house valued website security above everything else. The owners understood that many hackers would try to use brute force for forcibly getting into competitor accounts. Hence, they started using limited time account suspension for three wrong logs in attempts. In simpler words, the associated account ID would be locked if the wrong password were used for three consecutive times.
Imagine that there are only two users who want item X on auction. They both are placing bids, topping each other, and now just one hour remains for the online auction. One of the users knows about the account suspension policy, so he uses the account ID of the other bidder and enters the wrong password three times to lock his account. This way, only one bidder remains in the auction.
An e-commerce website allowed users to view product and its price, select that product, purchase summary, and then proceed to the checkout. The process was designed to be executed in this particular order only and the administrator did not set rules for something different.
An attacker discovered that he could go back to the shopping cart after injecting custom price in the URL. Website’s server executed it and allowed the attacker to pay for the revised pricing.
In days when hacking fetches much greater rewards, crooks are always looking for ways to get around your database, or whatever they can get their hands on, which should alarm you. When complex business ideas overlap each other, chances of discovering loopholes increase far beyond what we have explained in examples above.
In fact, in recent times, more and more hackers are looking for ways that go undetected by automated scanning, the ways that exploit business logic paradoxes.
Security analysts believe that web applications were and are being exploited with business logic vulnerabilities. Unfortunately, most companies do not even know about them unless there is monetary leakage. Following are some of the rules that need assessment.
How do you patch business logic vulnerabilities before the hackers could find them? You find them first.
Business logic vulnerability is essentially a human task that requires expertise, trained to identify flaws, much like hackers do. Managed web application scanning is a better way to detect all kinds of vulnerabilities within the application. While automated scanning looks for top OWASP threats, security experts will understand your business functions and their subsequent effects on web applications.
Once detected, you can either patch the vulnerability in each application or shield them with managed web application firewall. A managed web application firewall’s value goes beyond virtual patching and time to fix benefits of patching vulnerabilities. The main benefit is
a) Providing visibility of an attempted attack
b) Providing more insights about attackers, which can help in taking more proactive detect and protect steps to track and block them.
Eventually, it helps in improving the Total Application Security postures consistently and not as a point in time improvement.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.