Business Logic Vulnerability

What is it

These vulnerabilities cannot usually be identified by tools but would require manual intervention. Business logic vulnerabilities are weaknesses that are inherent in the business logic of the application itself.

One example that comes to mind is of the North Carolina news channel 14 website which allowed users to showcase edited messages as subscripts during the show. This flaw allowed many users to showcase spam messages and porn content before it was shutdown.

How serious is it

Business logic related vulnerabilities are a mixed bag in the sense that the impact of them getting exploited varies from one business logic to another.

However the impact could be on confidentiality (legitimate user getting locked out because someone else tried his ID with a wrong password for X times), integrity (functionality abuse) or availability (the user lockout works for loss of availability as well)

The impact of a business logic vulnerability exploit may result in

  • Modifying the state of the system on which the application with this vulnerability is running
  • Gaining access to the data contained in your system (loss of Confidentiality)
  • Possibility of loss of data (loss of Availability)

The amount of data that an attacker can retrieve or modify depends on the skill and imagination of attacker and vulnerabilities in system’s implementation.

How to prevent

Implement Secure Software Development Lifecycle (SSDLC)

In order to ensure that applications are secure, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.

Implementing SSDLC ensures that not just the requirements contain different types of use and abuse cases but that they are implemented properly without affecting confidentiality, integrity and availability of the system.