I thought I'd take a moment to dig a little deeper on our whitepaper titled “Top 10 Business Logic Attack Vectors."
Why did we write this paper?
- Business logic vulnerabilities are not new, but these vulnerabilities are common, dangerous and are too often untested.
- Security experts need to know that these must be tested manually and must not be overlooked. It is imperative to complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. We know that automation can't test everything.
- We wanted to demystify business logic vulnerabilities by giving specific examples and patterns that we have observed. We designed this to be helpful to new and experienced pen testers, security teams and developers.
Automation v. Humans
There are some things that automation can do better than humans and some things humans can do better than automation. Let the automated scanners check for SQLi, XSS and the other vulnerabilities that have repeatable patterns that scanners can test better than humans. Conducting comprehensive manual testing on a custom application takes too long, is too expensive and too error prone. Humans just can't and won't check every single parameter with a single tick.
Take this simple formula that I like to use as an example:
An application has 10 parameters/page, 200 payloads and 100 pages
This is what your work looks like:
10 inputs x 200 payloads = 2000 attacks x 100 pages = 200,000 attacks
It doesn't matter if they are hired guns or new employees, too often they will only be able to spot check.
As 451 Research Director, Wendy Nather has said, ”You can give your team Red **** all day long, but they still need to sleep sometime.” It just makes sense. Leverage automation to check every parameter on every page for every repeatable payload. Save your smart and expensive resources to do the difficult testing that requires human intelligence, deductive reasoning and an understanding of business logic.
What are business logic flaws?
Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application. In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does.
Some high level examples of business logic are:
- customer purchase orders
- banking queries
- wire transfers
- online auctions
Business logic is also defined in more specific rules such as which users are allowed to see what and how much users are charged for various items. This whitepaper arms new and experienced penetration testers with specific instructions, real-world examples and code-snippets for testing and exploiting the ten most common business logic vulnerabilities. In conjunction with our SaaS offering, AppSpider OnDemand, we offer business logic testing as an one of our enhanced services.
The 10 most common business logic attack vectors include:
- Authentication flags and privilege escalations
- Critical parameter manipulation and access to unauthorized information/content
- Developer's cookie tampering and business process/logic bypass
- LDAP parameter identification and critical infrastructure access
- Business constraint exploitation
- Business flow bypass
- Identity or profile extraction
- File or unauthorized URL access & business information extraction
- Denial of Services (DoS) with business logic
Our research team determined these 10 logic flaws as being most common through years of experience testing applications. For more information or to download the complete paper visit: https://information.rapid7.com/top-10-business-logic-vectors-whitepaper.html