[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

David Fern dfern at verizon.net
Fri Jan 11 01:45:55 UTC 2013


Thanks for the great material I am trying to consolidate it now. 
 
Thanks,
David 
 

________________________________
 From: Andrew Muller <andrew at ionize.com.au>
To: Colin Watson <colin.watson at owasp.org> 
Cc: owasp-testing at lists.owasp.org 
Sent: Thursday, January 10, 2013 8:00 PM
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?
  

Some great material there, David. Give us a shout if you'd like help transposing this information into the Business Logic section of the guide. 
  
regards, 
  Andrew

 

________________________________
 
From: "Colin Watson" <colin.watson at owasp.org>
To: owasp-testing at lists.owasp.org
Sent: Tuesday, 8 January, 2013 1:51:26 AM
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?

David

I think all the contributors to this thread have been very helpful.

I have to admit that I added some of the suggestions to section 4.7
Business Logic when the request was made to come up with ideas. My
thoughts at the time were to have them as examples, rather than being
numbered tests like in the rest of the testing guide.

Some other sources of ideas, or that might be referenced are:

   The Common Misuse Scoring System (CMSS): Metrics for Software
Feature Misuse Vulnerabilities
   NISTIR 7864
   http://csrc.nist.gov/publications/nistir/ir7864/nistir-7864.pdf

   Business Logic Abuse, Ponemon
   http://buzz.silvertailsystems.com/PonemonStudy.html?/study
   http://buzz.silvertailsystems.com/Ponemon_UK.html

We should remember that applications might be used to attack other
users and other systems. Additionally, the trusted insider might be
able to undertake attacks that other users are unable to commit. The
attacks in online gaming sometimes add extra insight into what might
could occur in other areas, e.g.:

   Security Issues in Online Games
   Jianxin Jeff Yan and Hyun-Jin Choi
   http://homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf

   Securing Virtual Worlds Against Real Attack
   Dr. Igor Muttik, McAfee
   https://www.info-point-security.com/open_downloads/2008/McAfee_wp_online_gaming_0808.pdf

My thoughts on 4.7 would be to use the ideas in v3 and this thread to
write up something generic, describe how best to identify suitable
tests, add plenty of interesting references, and have a small number
of single-page *example* business logic flaws, maybe boxed out so they
are not mistaken as the only tests that need to be performed.

Colin
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing


_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130110/17aba28d/attachment.html>


More information about the Owasp-testing mailing list