[Owasp-leaders] FW: Business Logic Security Issues?

Juan Carlos Calderon Rojas juan.calderon at softtek.com
Wed Mar 14 20:15:40 UTC 2012

So as per your comments (and my belief) due to its versatility or variety, it is impossible to do a list of all the logic issues in all applications of the world, but I think a cases library can be compiled.

This is, put most of common cases for financial applications in a section of a library, including 0 amount transfers, negative transfers,  tampered amounts, rounding issues, etc. Then another list for e-stores applications, and another for cloud applications, another for software configuration misuse, etc., etc.

Sounds like a paramount task, but I think such a library will be of huge value for the community. Or is there a better way to do this? I mean start documenting test cases for logic bombs?

Juan Carlos

From: Venkatesh Jagannathan [mailto:venki at owasp.org]
Sent: Tuesday, March 13, 2012 10:18 PM
To: owasp-leaders at lists.owasp.org
Cc: Juan Carlos Calderon Rojas
Subject: Re: FW: [Owasp-leaders] Business Logic Security Issues?

Hi Juan,
     I usually treat this as a part of application testing *AND* security testing, depending on the use case.

For example, one can have a use case that indicates that the data should not be visible in plain text to a user. In this case, even though it is both business function as well as security, it becomes imperative that it is tested as security test case as well.

My approach for cases like these are automated unit test cases, wither using MSTest or NUnit (for .NET apps) and JUnit (for Java apps). Typically, these test cases can be caught even when the design is in place. and We immediately add these to our test suite so that we dont miss the logic bombs.

>From a testers perspective, it should be treated as Security test case or Business Logic Bobm test case, it does not matter, as long as it is covered.

Thanks & Regards,
~Venki, Chennai Chapter Leader.

From: owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org> [mailto:owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of Juan Carlos Calderon Rojas
Sent: Wednesday, March 14, 2012 3:39 AM
To: owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
Subject: [Owasp-leaders] Business Logic Security Issues?

I want some light from you guys

Business logic issues could make businesses lose a lot of money, but they are not always considered "security" issues.

Case 1. One classical example is shopping cart abuse (buy a Hi Def 60" TV for 1 Cent by modifying hidden fields containing cost).  You are not stealing information or similar (yet you are committing fraud, but AFAIK, fraud is not considered a security issue on the industry).

Case 2. Another example on the configuration arena is, "open SMTP relay", the service daemon might be very secure and not expose any buffer overflow or similar, but misuse of the service by an spammer will make your company emails (probably containing bills and purchase orders) not reaching your customers/providers, causing costly delays.

Case 3.  The so-called "Cash Overflow" https://www.owasp.org/index.php/Cash_Overflow, and so on...

I know some have pleaded for considered them on security testing since long ago (Jeremiah G included), but... How do you personally classify them?  Do you test for them? How?


This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120314/f36b9b28/attachment.html>

More information about the OWASP-Leaders mailing list