[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

Andrew Muller andrew at ionize.com.au
Thu Jan 3 01:22:09 UTC 2013


Hi David, 
  Looks like a great compilation of business logic weaknesses and attacks. H ow did you derive the list from each of the four sources? i.e. why did you pick those weaknesses from the CWE? 

My comments are: 
1) there is a lot of commonality between the four sources (as well as other areas within the Test Guide TOC, e.g. weak password recovery, see 4.4.11 ). Reconciling these will reduce the length of the list. 
2) some of the sources have different functions. CWE identifies a weakness that we can test for, the Business Logic Attack Vectors mostly identifies how these can be tested, and the Business Flaws mostly highlights the high level risks to the business if the vulnerability exists and is exploited. However, as some of the sources appear to be cross purpose, this isn't consistent . 

My understanding of how you add them to the TOC is to just add them and see if anyone argues :) However, a more active discussion of each section would be good too. 

regards, 
  Andrew 

----- Original Message -----

From: "David Fern" <dfern at verizon.net> 
To: owasp-testing at lists.owasp.org 
Sent: Thursday, 3 January, 2013 11:55:37 AM 
Subject: [Owasp-testing] Can you please give me some guidence on the        Business Logic Section? 



Can you please give me some guidence on the Business Logic Section? 





  
I have done alot of research and come up with teh attached spread sheet and 4 different lists of Busines Logic issues. 
  
I have not been able to easily combine them. 
  
Should I just write to your list? 
  
Do I create a separate page for each?  
  
Any ideas/thoughts? 
  
Thanks, 
David 


_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130103/abc46143/attachment.html>


More information about the Owasp-testing mailing list