[Owasp-leaders] FW: Business Logic Security Issues?

Antonio Fontes antonio.fontes at owasp.org
Wed Mar 14 22:40:16 UTC 2012


A library of known problems for each industry would definitely be of great value!

--
sent from my magic phone

Juan Carlos Calderon Rojas <juan.calderon at softtek.com> wrote:

>So as per your comments (and my belief) due to its versatility or variety, it is impossible to do a list of all the logic issues in all applications of the world, but I think a cases library can be compiled.
>
>This is, put most of common cases for financial applications in a section of a library, including 0 amount transfers, negative transfers,  tampered amounts, rounding issues, etc. Then another list for e-stores applications, and another for cloud applications, another for software configuration misuse, etc., etc.
>
>Sounds like a paramount task, but I think such a library will be of huge value for the community. Or is there a better way to do this? I mean start documenting test cases for logic bombs?
>
>Regards,
>Juan Carlos
>
>From: Venkatesh Jagannathan [mailto:venki at owasp.org]
>Sent: Tuesday, March 13, 2012 10:18 PM
>To: owasp-leaders at lists.owasp.org
>Cc: Juan Carlos Calderon Rojas
>Subject: Re: FW: [Owasp-leaders] Business Logic Security Issues?
>
>Hi Juan,
>     I usually treat this as a part of application testing *AND* security testing, depending on the use case.
>
>For example, one can have a use case that indicates that the data should not be visible in plain text to a user. In this case, even though it is both business function as well as security, it becomes imperative that it is tested as security test case as well.
>
>My approach for cases like these are automated unit test cases, wither using MSTest or NUnit (for .NET apps) and JUnit (for Java apps). Typically, these test cases can be caught even when the design is in place. and We immediately add these to our test suite so that we dont miss the logic bombs.
>
>From a testers perspective, it should be treated as Security test case or Business Logic Bobm test case, it does not matter, as long as it is covered.
>
>Thanks & Regards,
>~Venki, Chennai Chapter Leader.
>
>
>
>From: owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org> [mailto:owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of Juan Carlos Calderon Rojas
>Sent: Wednesday, March 14, 2012 3:39 AM
>To: owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
>Subject: [Owasp-leaders] Business Logic Security Issues?
>
>I want some light from you guys
>
>Business logic issues could make businesses lose a lot of money, but they are not always considered "security" issues.
>
>Case 1. One classical example is shopping cart abuse (buy a Hi Def 60" TV for 1 Cent by modifying hidden fields containing cost).  You are not stealing information or similar (yet you are committing fraud, but AFAIK, fraud is not considered a security issue on the industry).
>
>Case 2. Another example on the configuration arena is, "open SMTP relay", the service daemon might be very secure and not expose any buffer overflow or similar, but misuse of the service by an spammer will make your company emails (probably containing bills and purchase orders) not reaching your customers/providers, causing costly delays.
>
>Case 3.  The so-called "Cash Overflow" https://www.owasp.org/index.php/Cash_Overflow, and so on...
>
>I know some have pleaded for considered them on security testing since long ago (Jeremiah G included), but... How do you personally classify them?  Do you test for them? How?
>
>Regards,
>JC
>
>This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful.
>
>
>_______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>_______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list