[Owasp-leaders] Business Logic Security Issues?

Juan Carlos Calderon Rojas juan.calderon at softtek.com
Tue Mar 13 22:09:00 UTC 2012

I want some light from you guys

Business logic issues could make businesses lose a lot of money, but they are not always considered “security” issues.

Case 1. One classical example is shopping cart abuse (buy a Hi Def 60” TV for 1 Cent by modifying hidden fields containing cost).  You are not stealing information or similar (yet you are committing fraud, but AFAIK, fraud is not considered a security issue on the industry).

Case 2. Another example on the configuration arena is, “open SMTP relay”, the service daemon might be very secure and not expose any buffer overflow or similar, but misuse of the service by an spammer will make your company emails (probably containing bills and purchase orders) not reaching your customers/providers, causing costly delays.

Case 3.  The so-called “Cash Overflow” https://www.owasp.org/index.php/Cash_Overflow, and so on…

I know some have pleaded for considered them on security testing since long ago (Jeremiah G included), but… How do you personally classify them?  Do you test for them? How?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120313/67bca2b5/attachment.html>

More information about the OWASP-Leaders mailing list