[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

David Fern dfern at verizon.net
Fri Jan 4 02:02:23 UTC 2013


I think that  this  is why I liked this section.
 
Busines Logic is very much like functional testing. 
 
We say that Business process testing cannot be automated but functional valid business logic is automated by the functionl tester all the time because we validate tha the application does what it should do.
 
But, it is true that the Functional Invalid business logic is impossible to completely automate since we do not know all that can go wrong.  
 
But, some functional Invalid business logic testing can be tested.
 
For example :
In the existing guide it says that it is impossible to automate "if a bank's "fund transfer" page allows a user to transfer a negative amount to another user."
I automate testes like this all the time looking for an error message when entered through teh GUI or http failure response when submitting around the GUI      
 
I am thinking that the examples in the existing section should be able to be put into catagories with more details and this section may actually be the "core" that uses or applies many of the techniques in the rest of the guide. 
 
Would this section be where I create catagories then link them to the other parts of the guide, sort of like the "anatomy or an attack"?
 
Thanks,
David 
 

________________________________
 From: Andrew Muller <andrew at ionize.com.au>
To: Jim Manico <jim.manico at owasp.org> 
Cc: owasp-testing at lists.owasp.org 
Sent: Thursday, January 3, 2013 7:27 PM
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?
  

True enough. This also applies to the Testing Guide more broadly. The prescriptive nature of the Guide offers rigour in testing, but if too prescriptive then it will not catch problems that are not easily classified (such as multiple step issues you describe). Perhaps we should consider a hybrid approach between the current prescriptive model and recommending that security testers take a leaf out of the functional tester's book and not be afraid to write their own test cases to meet the requirements of the target application. This offers the efficiencies of pre-canned security test cases but also the flexibility to methodolically test more complex application functionality or workflows of particular concern to the application owner. 
  
Andrew

 

________________________________
 
From: "Jim Manico" <jim.manico at owasp.org>
To: "Andrew Muller" <andrew at ionize.com.au>
Cc: "Eoin" <eoin.keary at owasp.org>, owasp-testing at lists.owasp.org
Sent: Friday, 4 January, 2013 11:18:10 AM
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?

The problem with business logic flaws is that they are often part of a
complex multi-step workflow that can be difficult to automate.

- Jim


> There is also the other question raised by David, which relates to how we write test cases. A test case should simple and testable. The most understandable security test cases are those that test for a specific vulnerability or class of vulnerabilties. The more specific, the less confusion for the tester and the application owner when they receive the report. 
> 
> regards, 
>   Andrew 
> 
> 
> ----- Original Message -----
> 
> From: "Eoin" <eoin.keary at owasp.org> 
> To: "James McGovern" <james.mcgovern at hp.com> 
> Cc: "David Fern" <dfern at verizon.net>, "Andrew Muller" <andrew at ionize.com.au>, owasp-testing at lists.owasp.org 
> Sent: Friday, 4 January, 2013 4:12:29 AM 
> Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section? 
> 
> 
> Business logic testing/verification: 
> ensure the app only does what is is designed to do and nothing more. Anything more (which it was not designed to do) may introduce a security issue as it breaks the business process the software was designed to reflect. - owasp code review guide v2 2013 
> 
> 
> 
> Eoin Keary 
> Owasp Global Board 
> +353 87 977 2988 
> 
> 
> 
> On 3 Jan 2013, at 12:46, "McGovern, James" < james.mcgovern at hp.com > wrote: 
> 
> 
> 
> 
> 
> 
> I think the challenge is observing the fact that the phrase: Business Logic is heavily overloaded in all of the three links provided. The traditional “infosec” view defines a lot more things under the business logic banner than say a traditional software view would do. 
>   
> May I propose that we focus our usage of the term towards concepts of the business domain itself? For example, if you are developing an insurance quoting application, the business logic would be comprised of the rules and calculations required to price a combination of drivers and vehicles. The stuff regarding AuthN, AuthZ, etc would be outside of it. 
>   
> If you look at calculations for say taxes, we would then test for invariants. This could include looking at how validation is handled, the order in which processes/steps are executed and of course transactional considerations (e.g. ACID). 
>   
> 
> 
> From: owasp-testing-bounces at lists.owasp.org [ mailto:owasp-testing-bounces at lists.owasp.org ] On Behalf Of David Fern 
> Sent: Thursday, January 03, 2013 6:38 AM 
> To: Andrew Muller 
> Cc: owasp-testing at lists.owasp.org 
> Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section? 
>   
> 
> 
> Here is where the lists came from and I like them: 
> 
>     Business Logic CWES - http://cwe.mitre.org/data/definitions/840.html 
> 
>     7 Business Flaws - https://www.whitehatsec.com/assets/WP_bizlogic092407.pdf 
> 
>     Busines Logic Attack Vectors - http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper/      
> 
> The "Propoposed" came from - https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents  and this is what I thought I was to write to but then I started researching and found the other three. 
> 
> I am just not clear on which type of list I should use for the driving force of this section: the weaknesses(CWE), how to test, or risk   
> 
>   
> 
> What fits the guide best? 
> 
>   
> 
> I think once I get the groups thoughts on which way to go the other catagoies will be added in infomation and I can look through and use other related parts of the TOC as you indicated.    
> 
>   
> 
> Any thoughts?   
> 
>   
> 
> I like this section but an having trouble organizing. 
> 
>   
> 
> Thanks, 
> 
> David :) 
> 
> 
> 
> From: Andrew Muller < andrew at ionize.com.au > 
> To: David Fern < dfern at verizon.net > 
> Cc: owasp-testing at lists.owasp.org 
> Sent: Wednesday, January 2, 2013 8:22 PM 
> Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section? 
>   
> 
> 
> 
> 
> Hi David, 
> 
>   Looks like a great compilation of business logic weaknesses and attacks. How did you derive the list from each of the four sources? i.e. why did you pick those weaknesses from the CWE? 
> 
>   
> 
> My comments are: 
> 
> 1) there is a lot of commonality between the four sources (as well as other areas within the Test Guide TOC, e.g. weak password recovery, see 4.4.11). Reconciling these will reduce the length of the list. 
> 
> 2) some of the sources have different functions. CWE identifies a weakness that we can test for, the Business Logic Attack Vectors mostly identifies how these can be tested, and the Business Flaws mostly highlights the high level risks to the business if the vulnerability exists and is exploited. However, as some of the sources appear to be cross purpose, this isn't consistent. 
> 
> My understanding of how you add them to the TOC is to just add them and see if anyone argues :) However, a more active discussion of each section would be good too. 
> 
>   
> 
> regards, 
> 
>   Andrew 
> 
> 
> From: "David Fern" < dfern at verizon.net > 
> To: owasp-testing at lists.owasp.org 
> Sent: Thursday, 3 January, 2013 11:55:37 AM 
> Subject: [Owasp-testing] Can you please give me some guidence on the        Business Logic Section? 
> 
> 
> Can you please give me some guidence on the Business Logic Section? 
> 
> 
> 
> 
> 
> 
>   
> 
> I have done alot of research and come up with teh attached spread sheet and 4 different lists of Busines Logic issues. 
> 
>   
> 
> I have not been able to easily combine them. 
> 
>   
> 
> Should I just write to your list? 
> 
>   
> 
> Do I create a separate page for each?  
> 
>   
> 
> Any ideas/thoughts? 
> 
>   
> 
> Thanks, 
> 
> David 
>   
> 
> _______________________________________________ 
> Owasp-testing mailing list 
> Owasp-testing at lists.owasp.org 
> https://lists.owasp.org/mailman/listinfo/owasp-testing 
>   
>   
> 
> 
> <blockquote>
> 
> _______________________________________________ 
> Owasp-testing mailing list 
> Owasp-testing at lists.owasp.org 
> https://lists.owasp.org/mailman/listinfo/owasp-testing 
> 
> </blockquote>
> 
> 
> 
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
> 



_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130103/476978fe/attachment-0001.html>


More information about the Owasp-testing mailing list