[Owasp-leaders] FW: Business Logic Security Issues?

Gaurav Kumar gk at pivotalsecurity.com
Fri Mar 23 21:44:39 UTC 2012


I would like to share my real life experience with such biz logic weakness-
http://www.pivotalsecurity.com/blog/logic/hidden-danger/



On Fri, Mar 16, 2012 at 5:46 PM, Tony UcedaVelez <tonyuv at owasp.org> wrote:

> I strongly suggest a project around this. Any objectives of having this
> enumeration and detailing of biz logic weaknesses being engulfed within the
> threat modeling project that is due for resurrection?
>
> Tony UV
>
> Sent from my comm device
> ------------------------------
> From: Juan Carlos Calderon Rojas
> Sent: 3/14/2012 4:21 PM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] FW:  Business Logic Security Issues?
>
> So as per your comments (and my belief) due to its versatility or variety,
> it is impossible to do a list of all the logic issues in all applications
> of the world, but I think a cases library can be compiled.
>
>
>
> This is, put most of common cases for financial applications in a section
> of a library, including 0 amount transfers, negative transfers,  tampered
> amounts, rounding issues, etc. Then another list for e-stores applications,
> and another for cloud applications, another for software configuration
> misuse, etc., etc.
>
>
>
> Sounds like a paramount task, but I think such a library will be of huge
> value for the community. Or is there a better way to do this? I mean start
> documenting test cases for logic bombs?
>
>
>
> Regards,
>
> Juan Carlos
>
>
>
> *From:* Venkatesh Jagannathan [mailto:venki at owasp.org]
> *Sent:* Tuesday, March 13, 2012 10:18 PM
> *To:* owasp-leaders at lists.owasp.org
> *Cc:* Juan Carlos Calderon Rojas
> *Subject:* Re: FW: [Owasp-leaders] Business Logic Security Issues?
>
>
>
> Hi Juan,
>
>      I usually treat this as a part of application testing *AND* security
> testing, depending on the use case.
>
>
>
> For example, one can have a use case that indicates that the data should
> not be visible in plain text to a user. In this case, even though it is
> both business function as well as security, it becomes imperative that it
> is tested as security test case as well.
>
>
>
> My approach for cases like these are automated unit test cases, wither
> using MSTest or NUnit (for .NET apps) and JUnit (for Java apps). Typically,
> these test cases can be caught even when the design is in place. and We
> immediately add these to our test suite so that we dont miss the logic
> bombs.
>
>
>
> From a testers perspective, it should be treated as Security test case or
> Business Logic Bobm test case, it does not matter, as long as it is covered.
>
>
>
> Thanks & Regards,
>
> ~Venki, Chennai Chapter Leader.
>
>
>
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Juan Carlos
> Calderon Rojas
> *Sent:* Wednesday, March 14, 2012 3:39 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* [Owasp-leaders] Business Logic Security Issues?
>
>
>
> I want some light from you guys
>
>
>
> Business logic issues could make businesses lose a lot of money, but they
> are not always considered “security” issues.
>
>
>
> Case 1. One classical example is shopping cart abuse (buy a Hi Def 60” TV
> for 1 Cent by modifying hidden fields containing cost).  You are not
> stealing information or similar (yet you are committing fraud, but AFAIK,
> fraud is not considered a security issue on the industry).
>
>
>
> Case 2. Another example on the configuration arena is, “open SMTP relay”,
> the service daemon might be very secure and not expose any buffer overflow
> or similar, but misuse of the service by an spammer will make your company
> emails (probably containing bills and purchase orders) not reaching your
> customers/providers, causing costly delays.
>
>
>
> Case 3.  The so-called “Cash Overflow”
> https://www.owasp.org/index.php/Cash_Overflow, and so on…
>
>
>
> I know some have pleaded for considered them on security testing since
> long ago (Jeremiah G included), but… How do you personally classify them?
>  Do you test for them? How?
>
>
>
> Regards,
>
> JC
>
> This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful.
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

Gaurav Kumar
Chief Security Consultant, Pivotal Security LLC | Email:
gk at pivotalsecurity.com | Phone:(425)686-9695
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120323/0c0448a4/attachment.html>


More information about the OWASP-Leaders mailing list