[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

Andrew Muller andrew at ionize.com.au
Fri Jan 11 01:00:25 UTC 2013


Some great material there, David. Give us a shout if you'd like help transposing this information into the Business Logic section of the guide. 

regards, 
  Andrew 


----- Original Message -----

From: "Colin Watson" <colin.watson at owasp.org> 
To: owasp-testing at lists.owasp.org 
Sent: Tuesday, 8 January, 2013 1:51:26 AM 
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section? 

David 

I think all the contributors to this thread have been very helpful. 

I have to admit that I added some of the suggestions to section 4.7 
Business Logic when the request was made to come up with ideas. My 
thoughts at the time were to have them as examples, rather than being 
numbered tests like in the rest of the testing guide. 

Some other sources of ideas, or that might be referenced are: 

   The Common Misuse Scoring System (CMSS): Metrics for Software 
Feature Misuse Vulnerabilities 
   NISTIR 7864 
   http://csrc.nist.gov/publications/nistir/ir7864/nistir-7864.pdf 

   Business Logic Abuse, Ponemon 
   http://buzz.silvertailsystems.com/PonemonStudy.html?/study 
   http://buzz.silvertailsystems.com/Ponemon_UK.html 

We should remember that applications might be used to attack other 
users and other systems. Additionally, the trusted insider might be 
able to undertake attacks that other users are unable to commit. The 
attacks in online gaming sometimes add extra insight into what might 
could occur in other areas, e.g.: 

   Security Issues in Online Games 
   Jianxin Jeff Yan and Hyun-Jin Choi 
   http://homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf 

   Securing Virtual Worlds Against Real Attack 
   Dr. Igor Muttik, McAfee 
   https://www.info-point-security.com/open_downloads/2008/McAfee_wp_online_gaming_0808.pdf 

My thoughts on 4.7 would be to use the ideas in v3 and this thread to 
write up something generic, describe how best to identify suitable 
tests, add plenty of interesting references, and have a small number 
of single-page *example* business logic flaws, maybe boxed out so they 
are not mistaken as the only tests that need to be performed. 

Colin 
_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130111/03a0f144/attachment.html>


More information about the Owasp-testing mailing list