Application Security Terminology

Glossary

Insufficient Process Validation

Insufficient Process Validation occurs when an application fails to enforce business process rules, enabling an attacker to circumvent the intended flow or business logic of the application. 

"Flow control" refers to multistep processes that require each step to be performed in a specific order by the user. Examples of multistep processes include wire transfer, password recovery, purchase checkout, and account sign-up. Unless an application has strong validation, an attacker can perform a step incorrectly or out of order, the access controls can be bypassed, and an application integrity error can occur. 

"Business logic" refers to the context in which a process will execute as governed by the business requirements. Exploiting a business logic weakness requires knowledge of the business; if no knowledge is needed to exploit it, then most likely it isn't a business logic flaw. Typical security measures such as scans and code review will not find this class of weakness.