[Owasp-leaders] Business Logic Security Issues?

psiinon psiinon at gmail.com
Wed Mar 14 09:43:02 UTC 2012

Hi Juan,

I treat these as security issues, and classify them as "application
security" issues.
It would be great if they were picked up in functional testing / QA but I
dont think we can rely on that due to the fact many/most functional testers
lack basic pentest knowledge.
So abusing business/application logic should always be a key part of any
security test.

Testing for them is where pentesters add real value - theres no way you can
automate these sort of tests.
To find such issues you need to really understand the application you are
testing, and then "think bad thoughts" ;)
What is the real purpose of the webapp? What are the critical resources?
Whats the worst case scenario?
How can I abuse the application in ways the developers didnt expect?
I think its very difficult to give generic rules or guidelines as it
depends so much on the application you are testing.



On Tue, Mar 13, 2012 at 10:09 PM, Juan Carlos Calderon Rojas <
juan.calderon at softtek.com> wrote:

> I want some light from you guys****
> ** **
> Business logic issues could make businesses lose a lot of money, but they
> are not always considered “security” issues.****
> ** **
> Case 1. One classical example is shopping cart abuse (buy a Hi Def 60” TV
> for 1 Cent by modifying hidden fields containing cost).  You are not
> stealing information or similar (yet you are committing fraud, but AFAIK,
> fraud is not considered a security issue on the industry).****
> ** **
> Case 2. Another example on the configuration arena is, “open SMTP relay”,
> the service daemon might be very secure and not expose any buffer overflow
> or similar, but misuse of the service by an spammer will make your company
> emails (probably containing bills and purchase orders) not reaching your
> customers/providers, causing costly delays. ****
> ** **
> Case 3.  The so-called “Cash Overflow”
> https://www.owasp.org/index.php/Cash_Overflow, and so on…****
> ** **
> I know some have pleaded for considered them on security testing since
> long ago (Jeremiah G included), but… How do you personally classify them?
>  Do you test for them? How?****
> ** **
> Regards,****
> JC****
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP: Toolsmith Tool of the Year
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120314/d0dc131c/attachment.html>

More information about the OWASP-Leaders mailing list