How do you translate an abstract business idea in machine language? How can you process overlapping theories without making the machines bleed?
Actually, you cannot. That’s the problem with business logic vulnerability.
Machines, unlike human brains, work on simplified binary logic. They respond to conditions that must lead to a simple ‘YES’ or ‘NO’, and absolutely nothing between it.
However, that is not how people running businesses think. They make decisions. Often quickly, frequently, and making them out most of the available information.
While security is certainly on their mind, there is not enough time to study implications in detail. This is exactly what leads to business logic or domain logic flaw.
A business logic flaw is an application vulnerability, which arises from circumstantial security weakness. As a one-of-a-kind problem, it does not have a universal solution and cannot be detected by automated web application scanning either. Here is a simple way to understand this.
“Only those who understand your business will be able to detect your business logic flaws.”
In theory, business logic vulnerability might seem a very vague, abstract idea. However, it poses a serious threat to security. We will help you understand with the following examples.
A renowned stockbroking firm wanted its customers to trade online. Their dummy online trading platform focused on increasing participation and making transactions faster in a two-step process.
Step 1: Users could pick stocks of their choice, number of shares, and click on ‘BUY’. The application then calculated the total value of the transaction and asked users to ‘PLACE ORDER’.
Step 2: After step 1, users can choose to either proceed with the order or cancel the transaction.
Million Dollar Problem
The web application scanning session showed that the application was clean of any OWASP or WASC vulnerability. But problems existed.
An attacker could actually make informed decisions and make huge profits without administrators knowing about it.
The attacker had to select stock at the current price and freeze the process at the confirmation dialog box. If the next day, prices for that particular stock shoot up, he could confirm the frozen trade and get the stocks at an older value.
An online auction house valued website security above everything else. The owners understood that many hackers would try to use brute force to forcibly getting into competitor accounts.
Hence, they started using limited-time account suspension for three wrong logs in attempts.
In simpler words, the associated account ID would be locked if the wrong password were used three consecutive times.
Increasing Odds
Imagine that there are only two users who want item X on auction. They both are placing bids, topping each other, and now just one hour remains for the online auction.
One of the users knows about the account suspension policy, so he uses the account ID of the other bidder. Enters the wrong password three times to lock his account. This way, only one bidder remains in the auction.
An e-commerce website allowed users to view the product and its price, select that product, purchase a summary, and then proceed to the checkout. The process was designed to be executed in this particular order only. And the administrator did not set rules for something different.
Custom Pricing
An attacker discovered that he could go back to the shopping cart after injecting custom prices in the URL. The website’s server executed it and allowed the attacker to pay for the revised pricing.
In days when hacking fetches much greater rewards, crooks are always looking for ways to get around your database.
When complex business ideas overlap each other, the chances of discovering business logic vulnerability increase far beyond what we have explained in the examples above.
In fact, in recent times, more and more hackers are looking for ways that go undetected by automated scanning, the ways that exploit business logic paradoxes.
Security analysts believe that web applications were and are being exploited with business logic vulnerabilities. Unfortunately, most companies do not even know about them unless there is monetary leakage. The following are some of the rules that need assessment.
How do you patch business logic vulnerabilities before the hackers could find them? You find them first.
Business logic vulnerability is essentially a human task that requires expertise, trained to identify flaws, much like hackers do.
Managed web application scanning is a better way to detect all kinds of vulnerabilities within the application. While automated scanning looks for top OWASP threats, security experts will understand your business functions and their subsequent effects on web applications.
Once detected, you can either patch the vulnerability in each application or shield them with a managed web application firewall.
A managed web application firewall’s value goes beyond virtual patching and time to fix the benefits of patching vulnerabilities. The main benefit is
a) Providing visibility of an attempted attack
b) Providing more insights about attackers, which can help in taking more proactive detect and protect steps to track and block them.
Eventually, it helps in improving the Total Application Security postures consistently and not as a point in time improvement.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn
This post was last modified on February 7, 2024 15:21
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More