Website Security Whitepaper
Seven Business Logic Flaws That Put Your Website At Risk
Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved.
As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws. Following are real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of a website. We’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.
Winning an Online Auction
Class: Abuse of Functionality
An on-line auction website prevents attackers from guessing the passwords of users by temporarily locking accounts that receive too many failed attempts (5 tries) in a given amount of time. Once an account is locked, the attacker (or the user) must wait for a timeout to expire (1 hr) before attempting to login again. Account locking is one of several techniques used to slow down brute force attacks.
Once logged-in, users are able to browse items being auctioned and view who bid on what. To place a bid, a user is asked for their password to verify their intent, which prevent unintended bids and also stops Cross-Site Request Forgery attacks. The bidding process is tied into the login security system to deny password guessing in this area, as well.
Can you spot the security problem?
About the Author