[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

Colin Watson colin.watson at owasp.org
Mon Jan 7 14:51:26 UTC 2013


David

I think all the contributors to this thread have been very helpful.

I have to admit that I added some of the suggestions to section 4.7
Business Logic when the request was made to come up with ideas. My
thoughts at the time were to have them as examples, rather than being
numbered tests like in the rest of the testing guide.

Some other sources of ideas, or that might be referenced are:

   The Common Misuse Scoring System (CMSS): Metrics for Software
Feature Misuse Vulnerabilities
   NISTIR 7864
   http://csrc.nist.gov/publications/nistir/ir7864/nistir-7864.pdf

   Business Logic Abuse, Ponemon
   http://buzz.silvertailsystems.com/PonemonStudy.html?/study
   http://buzz.silvertailsystems.com/Ponemon_UK.html

We should remember that applications might be used to attack other
users and other systems. Additionally, the trusted insider might be
able to undertake attacks that other users are unable to commit. The
attacks in online gaming sometimes add extra insight into what might
could occur in other areas, e.g.:

   Security Issues in Online Games
   Jianxin Jeff Yan and Hyun-Jin Choi
   http://homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf

   Securing Virtual Worlds Against Real Attack
   Dr. Igor Muttik, McAfee
   https://www.info-point-security.com/open_downloads/2008/McAfee_wp_online_gaming_0808.pdf

My thoughts on 4.7 would be to use the ideas in v3 and this thread to
write up something generic, describe how best to identify suitable
tests, add plenty of interesting references, and have a small number
of single-page *example* business logic flaws, maybe boxed out so they
are not mistaken as the only tests that need to be performed.

Colin


More information about the Owasp-testing mailing list