[Owasp-testing] Can you please give me some guidence on the Business Logic Section?

Eoin eoin.keary at owasp.org
Fri Jan 11 08:32:13 UTC 2013


Think finite state model testing

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 11 Jan 2013, at 02:04, "McGovern, James" <james.mcgovern at hp.com> wrote:

> One additional observation is to note that testing business logic isn’t quite the same as testing for say SQL injection. We need to introduce more of a “logical” test than a physical one. We know the infamous “1=1” in SQL, but need something more logical in terms of guidance. From a developers perspective, they are usually handed specifications written by business analysts that use “must” and “must not” grammar. So, a logical test would also strive to test the inverse. We could start with a few requirements and show how to create inverse tests against them.
>  
> Another scenario may be to test for forensic capabilities that can help the “defenders” For example, if we have a business rules engine that uses the RETE algorithm and someone attempts a business logic attack, our simple OWASP logging guidance is inadequate for a developer to understand the path traversal of business logic on any given day.
>  
> From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Andrew Muller
> Sent: Thursday, January 10, 2013 8:00 PM
> To: Colin Watson
> Cc: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?
>  
> Some great material there, David. Give us a shout if you'd like help transposing this information into the Business Logic section of the guide.
>  
> regards,
>   Andrew
> 
> From: "Colin Watson" <colin.watson at owasp.org>
> To: owasp-testing at lists.owasp.org
> Sent: Tuesday, 8 January, 2013 1:51:26 AM
> Subject: Re: [Owasp-testing] Can you please give me some guidence on the Business Logic Section?
> 
> David
> 
> I think all the contributors to this thread have been very helpful.
> 
> I have to admit that I added some of the suggestions to section 4.7
> Business Logic when the request was made to come up with ideas. My
> thoughts at the time were to have them as examples, rather than being
> numbered tests like in the rest of the testing guide.
> 
> Some other sources of ideas, or that might be referenced are:
> 
>    The Common Misuse Scoring System (CMSS): Metrics for Software
> Feature Misuse Vulnerabilities
>    NISTIR 7864
>    http://csrc.nist.gov/publications/nistir/ir7864/nistir-7864.pdf
> 
>    Business Logic Abuse, Ponemon
>    http://buzz.silvertailsystems.com/PonemonStudy.html?/study
>    http://buzz.silvertailsystems.com/Ponemon_UK.html
> 
> We should remember that applications might be used to attack other
> users and other systems. Additionally, the trusted insider might be
> able to undertake attacks that other users are unable to commit. The
> attacks in online gaming sometimes add extra insight into what might
> could occur in other areas, e.g.:
> 
>    Security Issues in Online Games
>    Jianxin Jeff Yan and Hyun-Jin Choi
>    http://homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf
> 
>    Securing Virtual Worlds Against Real Attack
>    Dr. Igor Muttik, McAfee
>    https://www.info-point-security.com/open_downloads/2008/McAfee_wp_online_gaming_0808.pdf
> 
> My thoughts on 4.7 would be to use the ideas in v3 and this thread to
> write up something generic, describe how best to identify suitable
> tests, add plenty of interesting references, and have a small number
> of single-page *example* business logic flaws, maybe boxed out so they
> are not mistaken as the only tests that need to be performed.
> 
> Colin
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>  
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130111/7a8a4a81/attachment.html>


More information about the Owasp-testing mailing list