Breaking News

BUSINESS LOGIC ASSESSMENTS: Finding Application Logic Vulnerabilities that an Automatic Scanner can Miss

What are Business Logic Assessments and how are they Different from Pen Tests?

Business Logic Assessments (BLAs) are manual assessments performed by experienced security experts for application security vulnerabilities that cannot be tested effectively in an automated fashion. BLA allows for unique and custom business logic flows and application design to be tested with custom business logic tests that analyze design flaws and validate account privileges across roles and between users. These customized tests verify whether applications allow unexpected business behaviors and augment scanner capabilities to cover all logic vulnerabilities that the scanner can’t handle on its own. An automated scan may be able to be configured to detect when a URL is accessed without authentication but is unable to detect failures in authorization controls. While an automated scan can enumerate through account numbers, it cannot see the context to determine if these accounts belong to different users. WhiteHat’s expert analysis of these critical design-flaw security vulnerabilities includes custom descriptions and remediation guidance in the context of the business.

A penetration test (pen test) is a simulated attack to test the security of your system or software. There are several different types of penetration tests that can be used for different purposes (depending on the need of business security or to meet compliance standards). Examples include network, mobile, IoT, wireless, social engineering, and more. Penetration test reports may provide you with countermeasures to reduce risk.

Chris Presley, Director, Security Assessments at WhiteHat Security explains, “Overall a penetration test is far more in-depth and will exploit vulnerabilities to achieve a goal. BLA is focused on production safety so there is minimal risk to real user impact during testing. The focus is on finding all vulnerabilities rather than just finding what is needed to exploit to reach the pentest objective and is focused on web applications versus the major focus being on networking.

An analogy of how these two differ would be to visualize a hacker that you hire to check if your home is secure. A penetration tester could find the front door is unlocked and would walk through the door and report that your home is insecure as they got in through the unlocked front door. A WhiteHat Security Engineer would check all doors and windows and other possible entrances to your home to ensure they are safe and secure. Based on their report, you can make informed decisions on what security practices you must follow to ensure that your home stays protected.”

Here are a few reasons why you’d prefer BLAs instead of pen tests:

  • Unlike many pen test methods, BLAs are production safe. BLAs avoid any kind of testing that may result in denial of service or have a potentially negative impact on an application is avoided. Since BLAs are performed with production safety as a top priority, customers can check for vulnerabilities without disrupting their live production environments, saving money and time.
  • Customers often have to wait for months to get the pen test results. Our BLA findings are reported rapidly via the Sentinel interface with a custom description and steps to reproduce.
  • There are various reasons why you’d want a penetration testing team to check for backdoors and vulnerabilities. However, when specifically looking for web application security vulnerabilities, our WhiteHat security engineers are the trusted subject matter experts you might want to reach out to for web applications testing. Often Pen Testers tend to focus more on network and server issues than web application vulnerabilities but BLAs are specialized in web applications.

The Value of Business Logic Assessments

Business Logic Assessments (BLAs) complement automated scanning, providing the third-party web application penetration test required for many compliance items and best practices.

Automated vulnerability scanners are great at finding vulnerabilities fast, provide good coverage, and are scalable and configurable. But there are drawbacks and things they can miss. Scanners cannot find unexpected and logical vulnerabilities. Manual business logic manual assessments find what scanners can miss. From process validation to abuse of functionalities and logic vulnerabilities that are unique to the business site or code, the security experts know when functionalities are prone to exploitation. BLAs can help you stay abreast of the latest technology threats, and the security experts can think both like a code developer and a hacker.
WhiteHat recommends scheduling your BLA either immediately (especially for sites that are newly covered under a BLA license) or as best suits the business processes to ensure that major changes to your site are reviewed promptly.

What is a Logic Vulnerability?

A logic vulnerability is not a problem with the code or the framework, it’s a way to exploit the application to make it do something unexpected. Developers often are focused on making applications user-friendly but are not aware of how hackers can access certain functionalities from the server-side. You might see these vulns in insufficient authorization and authentication, or abuse of functionality and denial of service. How common are these vulnerabilities?

Here’s Why it Matters for your Business

Using automated DAST solution in conjunction with valuable BLAs WhiteHat customers are strengthening their web application security and improving on overall compliance and risk management. Top manual vulnerabilities findings included OWASP Top 10, CWE Top 25 issues, Cross-Site Scripting (XSS), SQL injection, Fingerprinting, Content Spoofing, Cross-Site Request Forgery (CSRF), URL redirector abuse, Brute Force, and more.
In a recent customer risk analysis, we found that more than 20% of total vulns were detected through BLAs. And around 80% of these vulns had critical to medium rating. If this organization had relied only on automated testing, these critical business logic vulnerabilities would have been missed, possibly leading to a damaging data breach.

Highly Accurate Detection of Business Logic Vulnerabilities by WhiteHat Experts

Experienced security engineers from WhiteHat Security perform manual business logic assessments focused on:

  • Mapping the entire application
  • Examining sensitive areas of production applications
  • Finding issues unlikely to be found via automated scanning
  • Testing applications not accessible by automated scanners
  • Assessing applications that cannot be tested in production-safe ways via automation
  • Checking for authentication and authorization issues
  • Identifying hard-to-find technical vulnerabilities such as blind XSS and blind SQLi
  • Reviewing a detailed vulnerability checklist to ensure complete testing
  • Maintaining a proprietary log to ensure all testing is documented

Are you missing out on catching the vulnerabilities that can result in damaging data breaches? Contact us today to know how WhiteHat can help.