[Owasp-leaders] FW: Business Logic Security Issues?

Venkatesh Jagannathan venki at owasp.org
Wed Mar 14 04:18:26 UTC 2012


Hi Juan,
     I usually treat this as a part of application testing *AND* security
testing, depending on the use case.

For example, one can have a use case that indicates that the data should
not be visible in plain text to a user. In this case, even though it is
both business function as well as security, it becomes imperative that it
is tested as security test case as well.

My approach for cases like these are automated unit test cases, wither
using MSTest or NUnit (for .NET apps) and JUnit (for Java apps). Typically,
these test cases can be caught even when the design is in place. and We
immediately add these to our test suite so that we dont miss the logic
bombs.

>From a testers perspective, it should be treated as Security test case or
Business Logic Bobm test case, it does not matter, as long as it is covered.

Thanks & Regards,
~Venki, Chennai Chapter Leader.



>  **
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Juan Carlos
> Calderon Rojas
> *Sent:* Wednesday, March 14, 2012 3:39 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* [Owasp-leaders] Business Logic Security Issues?****
>
> ** **
>
> I want some light from you guys****
>
> ** **
>
> Business logic issues could make businesses lose a lot of money, but they
> are not always considered “security” issues.****
>
> ** **
>
> Case 1. One classical example is shopping cart abuse (buy a Hi Def 60” TV
> for 1 Cent by modifying hidden fields containing cost).  You are not
> stealing information or similar (yet you are committing fraud, but AFAIK,
> fraud is not considered a security issue on the industry).****
>
> ** **
>
> Case 2. Another example on the configuration arena is, “open SMTP relay”,
> the service daemon might be very secure and not expose any buffer overflow
> or similar, but misuse of the service by an spammer will make your company
> emails (probably containing bills and purchase orders) not reaching your
> customers/providers, causing costly delays. ****
>
> ** **
>
> Case 3.  The so-called “Cash Overflow”
> https://www.owasp.org/index.php/Cash_Overflow, and so on…****
>
> ** **
>
> I know some have pleaded for considered them on security testing since
> long ago (Jeremiah G included), but… How do you personally classify them?
>  Do you test for them? How?****
>
> ** **
>
> Regards,****
>
> JC****
>
> This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful.
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120314/0dd710bb/attachment.html>


More information about the OWASP-Leaders mailing list