[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Steven M. Christey coley at linus.mitre.org
Thu Nov 19 20:01:54 EST 2009


On Mon, 16 Nov 2009, Dave Wichers wrote:

> My point is that most of the 'business logic' flaws that can occur in
> applications really belong (in my opinion) in one of the existing Top 10
> categories, rather than in a separate category called 'business logic
> flaws'.

For whatever it's worth, I think the same way about this... plus if
there's a problem that we still have to call a "business logic flaw," then
in my book it means that maybe we don't fully understand the underlying
weakness yet (and maybe we never will, not any time soon anyway.)  I don't
know how to generally classify a rule like "a customer can never buy an
item at a negative price" so it's business logic, but at one level it's an
instance of "use of a negative number in an always-positive context" which
doesn't feel that far from the common error in C of checking a signed,
potentially-negative integer for a maximum value to prevent integer
overflows.

When Jeremiah Grossman started talking about business logic problems, I
believe that one of his main points was that issues like SQL injection,
XSS, etc. are "almost always wrong" regardless of what application you're
looking at, and in a sense they're easier to find.  But some key problems
can't be found without having specific knowledge of the domain in which
the software is operating.  Access control generally happens to live in
the domain-specific area.  You also usually need domain-specific knowledge
to determine whether CSRF is a feature or a vulnerability for a particular
function, but I wouldn't call either of these "business logic."

- Steve


More information about the Owasp-topten mailing list