[Owasp-leaders] FW: Business Logic Security Issues?

Tony UcedaVelez tonyuv at owasp.org
Sat Mar 17 00:46:18 UTC 2012

I strongly suggest a project around this. Any objectives of having this
enumeration and detailing of biz logic weaknesses being engulfed within the
threat modeling project that is due for resurrection?

Tony UV

Sent from my comm device
From: Juan Carlos Calderon Rojas
Sent: 3/14/2012 4:21 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] FW:  Business Logic Security Issues?

So as per your comments (and my belief) due to its versatility or variety,
it is impossible to do a list of all the logic issues in all applications
of the world, but I think a cases library can be compiled.

This is, put most of common cases for financial applications in a section
of a library, including 0 amount transfers, negative transfers,  tampered
amounts, rounding issues, etc. Then another list for e-stores applications,
and another for cloud applications, another for software configuration
misuse, etc., etc.

Sounds like a paramount task, but I think such a library will be of huge
value for the community. Or is there a better way to do this? I mean start
documenting test cases for logic bombs?


Juan Carlos

*From:* Venkatesh Jagannathan [mailto:venki at owasp.org]
*Sent:* Tuesday, March 13, 2012 10:18 PM
*To:* owasp-leaders at lists.owasp.org
*Cc:* Juan Carlos Calderon Rojas
*Subject:* Re: FW: [Owasp-leaders] Business Logic Security Issues?

Hi Juan,

     I usually treat this as a part of application testing *AND* security
testing, depending on the use case.

For example, one can have a use case that indicates that the data should
not be visible in plain text to a user. In this case, even though it is
both business function as well as security, it becomes imperative that it
is tested as security test case as well.

My approach for cases like these are automated unit test cases, wither
using MSTest or NUnit (for .NET apps) and JUnit (for Java apps). Typically,
these test cases can be caught even when the design is in place. and We
immediately add these to our test suite so that we dont miss the logic

>From a testers perspective, it should be treated as Security test case or
Business Logic Bobm test case, it does not matter, as long as it is covered.

Thanks & Regards,

~Venki, Chennai Chapter Leader.

*From:* owasp-leaders-bounces at lists.owasp.org [mailto:
owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Juan Carlos Calderon
*Sent:* Wednesday, March 14, 2012 3:39 AM
*To:* owasp-leaders at lists.owasp.org
*Subject:* [Owasp-leaders] Business Logic Security Issues?

I want some light from you guys

Business logic issues could make businesses lose a lot of money, but they
are not always considered “security” issues.

Case 1. One classical example is shopping cart abuse (buy a Hi Def 60” TV
for 1 Cent by modifying hidden fields containing cost).  You are not
stealing information or similar (yet you are committing fraud, but AFAIK,
fraud is not considered a security issue on the industry).

Case 2. Another example on the configuration arena is, “open SMTP relay”,
the service daemon might be very secure and not expose any buffer overflow
or similar, but misuse of the service by an spammer will make your company
emails (probably containing bills and purchase orders) not reaching your
customers/providers, causing costly delays.

Case 3.  The so-called “Cash Overflow”
https://www.owasp.org/index.php/Cash_Overflow, and so on…

I know some have pleaded for considered them on security testing since long
ago (Jeremiah G included), but… How do you personally classify them?  Do
you test for them? How?



This e-mail and any files transmitted with it are for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient(s), please reply to
the sender and destroy all copies of the original message. Any
unauthorized review, use, disclosure, dissemination, forwarding,
printing or copying of this email, and/or any action taken in reliance
on the contents of this e-mail is strictly prohibited and may be

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120316/75c7687c/attachment.html>

More information about the OWASP-Leaders mailing list