Website Security Whitepaper

Seven Business Logic Flaws That Put Your Website At Risk

Download a Complimentary Copy of this Whitepaper ›››

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved.

As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws. Following are real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of a website. We’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Winning an Online Auction

Class: Abuse of Functionality

An on-line auction website prevents attackers from guessing the passwords of users by temporarily locking accounts that receive too many failed attempts (5 tries) in a given amount of time. Once an account is locked, the attacker (or the user) must wait for a timeout to expire (1 hr) before attempting to login again. Account locking is one of several techniques used to slow down brute force attacks.

Once logged-in, users are able to browse items being auctioned and view who bid on what. To place a bid, a user is asked for their password to verify their intent, which prevent unintended bids and also stops Cross-Site Request Forgery attacks. The bidding process is tied into the login security system to deny password guessing in this area, as well.

Can you spot the security problem?
If a malicious user wanted to place competing bidders at a disadvantage and improve their odds of winning an auction, they could, easily. To do so, they’d start by bidding on the item early and at a low price. When/if someone placed a higher bid, the malicious user would respond not only by bidding slightly higher, but also by running a sustained login brute force attack against that user’s account. The result: The user would be unable to bid on the item because their account would be purposely locked by the attacker, since the bidding system is tied to the login security system. The malicious user would continue this attack for anyone who attempted to bid higher until the auction ends. The malicious user is not guaranteed to win, but locking out competitive bidders certainly improves the odds, while retaining their ability to drop out of the running at any time.


  • Do not display user names on the website. This not only increases user privacy, but also prevents an attacker from knowing which bidder they need/want to lockout.

  • As an alternative to an account lockout, a CAPTCHA system may be employed if an account has received too many failed login attempts. This method has the benefit of preventing brute force attacks, without the potential side effect of locking out legitimate users who are making bids.

  • Online auctions may allow sellers to specify a minimum bid price before they must sell the item. So, if an attacker used the method described to get an unreasonable price, they are not guaranteed to get the item.

About the Author

Jeremiah Grossman is the founder and CTO of WhiteHat Security. Mr. Grossman is a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of the recently published book, Cross-Site Scripting Attacks. Mr. Grossman is frequently quoted in business and teGrossmanchnology publications such as InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, SecurityFocus, C-Net, CSO Magazine, and InformationWeek.



3970 Freedom Circle, Santa Clara, CA 95054 | 408.343.8300 |
2014 © Copyright | WhiteHat Security
Twitter facebook Youtube