[Owasp-testing] Can you please give me some guidence on the Business Logic Section?
andrew at ionize.com.au
Fri Jan 11 01:00:25 UTC 2013
Some great material there, David. Give us a shout if you'd like help transposing this information into the Business Logic section of the guide.
----- Original Message -----
From: "Colin Watson" <colin.watson at owasp.org>
To: owasp-testing at lists.owasp.org
Sent: Tuesday, 8 January, 2013 1:51:26 AM
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?
I think all the contributors to this thread have been very helpful.
I have to admit that I added some of the suggestions to section 4.7
Business Logic when the request was made to come up with ideas. My
thoughts at the time were to have them as examples, rather than being
numbered tests like in the rest of the testing guide.
Some other sources of ideas, or that might be referenced are:
The Common Misuse Scoring System (CMSS): Metrics for Software
Feature Misuse Vulnerabilities
Business Logic Abuse, Ponemon
We should remember that applications might be used to attack other
users and other systems. Additionally, the trusted insider might be
able to undertake attacks that other users are unable to commit. The
attacks in online gaming sometimes add extra insight into what might
could occur in other areas, e.g.:
Security Issues in Online Games
Jianxin Jeff Yan and Hyun-Jin Choi
Securing Virtual Worlds Against Real Attack
Dr. Igor Muttik, McAfee
My thoughts on 4.7 would be to use the ideas in v3 and this thread to
write up something generic, describe how best to identify suitable
tests, add plenty of interesting references, and have a small number
of single-page *example* business logic flaws, maybe boxed out so they
are not mistaken as the only tests that need to be performed.
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing