[Owasp-leaders] Business Logic Cheatsheet

Jim Manico jim.manico at owasp.org
Thu Oct 24 15:37:35 UTC 2013

Sounds good, Eric and Jeff.

Can you both jump in and help edit the cheat sheet then?



> I agree with Jeff in principle on this one. The term "business logic
> flaw" is often used to encompass, dare I say this, anything an automated
> tool cannot find. When, more correctly, it focuses on those issues with
> strong business context that do not tie directly to a commonly excepted
> vulnerability class/CVE/etc... unless the referenced taxonomy consists
> of insanely broad definitions ;)
> -Eric
> On 10/24/13 10:46 AM, Jim Manico wrote:
>> Let me try that again, Jeff. I do not agree that 90% of the cheatsheet
>> should be removed, but adding your suggestions below is useful. I'll
>> send an updated CS to the list when done.
>> Regards,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Oct 24, 2013, at 9:38 AM, Jeff Williams <jeff.williams at owasp.org
>> <mailto:jeff.williams at owasp.org>> wrote:
>>> Hi,
>>> I think this is a worthy and important effort, and I appreciate the
>>> work so far, but this draft mostly focuses on problems that are better
>>> suited to remain in other categories. I apologize for the severe
>>> comment, but I would delete 90% of what is in this cheatsheet and
>>> focus on the core problem and solutions.
>>> To me, it's only a business logic problem if you have to know the
>>> business rules in order to identify it.  A business rule is like "only
>>> IRA holders over age 55 can trade index funds."  Notice that it's not
>>> about any security mechanism.  Instead, business logic vulnerabilities
>>> represent a mismatch between business expectations and the
>>> application's code.  You can't find a business logic problem without
>>> first talking to the business about their rules and understanding
>>> their business.  Almost nothing in the article really talks about this
>>> kind of problem.
>>> I think it might help to quote the "Business Logic Vulnerability" page
>>> from OWASP (2008) --
>>>         Most security problems are weaknesses in an application that
>>>         result from a broken or missing security control
>>>         (authentication, access control, input validation, etc...). By
>>>         contrast, business logic vulnerabilities are ways of using the
>>>         legitimate processing flow of an application in a way that
>>>         results in a negative consequence to the organization. For
>>>         example:
>>>           + Purchase orders are not processed before midnight
>>>           + Written authorization is not on file before web access is
>>>             granted
>>>           + Transactions in excess of $2000 are not reviewed by a person
>>>         Many articles that describe business logic problems simply
>>>         take an existing and well understood web application security
>>>         problem and discuss the business consequence of the
>>>         vulnerability. True business logic problems are actually
>>>         different from the typical security vulnerability. Here are
>>>         some examples of problems that are not business logic
>>>         vulnerabilities:
>>>           + Performing a denial of service by locking an auction
>>>             user's account
>>>           + Posting unvalidated input publically
>>>           + Cracking MD5 hashes
>>>           + Brute forcing a password recovery scheme
>>>         Too often, the business logic category is used for
>>>         vulnerabilities that can't be scanned for automatically. This
>>>         makes it very difficult to apply any kind of categorization
>>>         scheme. Business logic problems are different from
>>>         authentication problems and every other category. There are
>>>         many signficant business logic vulnerabilities, but they are
>>>         far less common than the type of items in the OWASP Top Ten
>>>         for example.
>>>         A nice rule-of-thumb to use is that if you need to truly
>>>         understand the business to understand the vulnerability, you
>>>         might have a business-logic problem on your hands. If you
>>>         don't understand the business, you can't see business logic flaws.
>>> Again, I apologize for the harsh comment.  I think this is important
>>> and we should get it as good as we can.
>>> --Jeff
>>> On Wed, Oct 23, 2013 at 1:20 PM, Jim Manico <jim.manico at owasp.org
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>     Hello folks,
>>>     We just released a new cheatsheet, the business logic cheatsheet
>>>     for developers. Kudos to Ashish Rao and David Fern for working on
>>>     this together.
>>>     https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
>>>     Feedback is always appreciated.
>>>     Aloha,
>>>     Jim Manico
>>>     OWASP Board Member
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list