[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

McGovern, James james.mcgovern at hp.com
Fri Jan 11 02:04:44 UTC 2013

One additional observation is to note that testing business logic isn’t quite the same as testing for say SQL injection. We need to introduce more of a “logical” test than a physical one. We know the infamous “1=1” in SQL, but need something more logical in terms of guidance. From a developers perspective, they are usually handed specifications written by business analysts that use “must” and “must not” grammar. So, a logical test would also strive to test the inverse. We could start with a few requirements and show how to create inverse tests against them.

Another scenario may be to test for forensic capabilities that can help the “defenders” For example, if we have a business rules engine that uses the RETE algorithm and someone attempts a business logic attack, our simple OWASP logging guidance is inadequate for a developer to understand the path traversal of business logic on any given day.

From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Andrew Muller
Sent: Thursday, January 10, 2013 8:00 PM
To: Colin Watson
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?

Some great material there, David. Give us a shout if you'd like help transposing this information into the Business Logic section of the guide.



From: "Colin Watson" <colin.watson at owasp.org<mailto:colin.watson at owasp.org>>
To: owasp-testing at lists.owasp.org<mailto:owasp-testing at lists.owasp.org>
Sent: Tuesday, 8 January, 2013 1:51:26 AM
Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?


I think all the contributors to this thread have been very helpful.

I have to admit that I added some of the suggestions to section 4.7
Business Logic when the request was made to come up with ideas. My
thoughts at the time were to have them as examples, rather than being
numbered tests like in the rest of the testing guide.

Some other sources of ideas, or that might be referenced are:

   The Common Misuse Scoring System (CMSS): Metrics for Software
Feature Misuse Vulnerabilities
   NISTIR 7864

   Business Logic Abuse, Ponemon

We should remember that applications might be used to attack other
users and other systems. Additionally, the trusted insider might be
able to undertake attacks that other users are unable to commit. The
attacks in online gaming sometimes add extra insight into what might
could occur in other areas, e.g.:

   Security Issues in Online Games
   Jianxin Jeff Yan and Hyun-Jin Choi

   Securing Virtual Worlds Against Real Attack
   Dr. Igor Muttik, McAfee

My thoughts on 4.7 would be to use the ideas in v3 and this thread to
write up something generic, describe how best to identify suitable
tests, add plenty of interesting references, and have a small number
of single-page *example* business logic flaws, maybe boxed out so they
are not mistaken as the only tests that need to be performed.

Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130111/597145ed/attachment-0001.html>

More information about the Owasp-testing mailing list