Insufficient Process Validation

Insufficient Process Validation occurs when an application fails to enforce business process rules, enabling an attacker to circumvent the intended flow or business logic of the application. 

"Flow control" refers to multistep processes that require each step to be performed in a specific order by the user. Examples of multistep processes include wire transfer, password recovery, purchase checkout, and account sign-up. Unless an application has strong validation, an attacker can perform a step incorrectly or out of order, the access controls can be bypassed, and an application integrity error can occur. 

"Business logic" refers to the context in which a process will execute as governed by the business requirements. Exploiting a business logic weakness requires knowledge of the business; if no knowledge is needed to exploit it, then most likely it isn't a business logic flaw. Typical security measures such as scans and code review will not find this class of weakness. 

Flow Control Examples

Yahoo had a promotional offer where if you deposited USD $30 into an advertising account, Yahoo would then add an additional USD $50 to that account. The sign-up process was able to be circumvented in such a way that failing to deposit the requisite USD $30 still allowed the additional USD $50 to be credited to the account.

Tower Records' form validation assumed that the user would fill out a form in the order presented, but in reality, some users filled out the bottom portion first, triggering a bug that wasn't caught during development and resulted in the loss of sales.

Business Logic Examples

E-trade and Schwab, in their sign-up process, failed to validate a limit of one bank account per any given user, allowing an attacker to assign the same bank account to tens of thousands of users, resulting in a loss of USD $50,000.00.

QVC lost more than USD $412,000.00 when a woman discovered she could purchase items via the QVC website, immediate cancel her order, but still receive the items.

.