4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
179<br />
Web Application Penetration Testing<br />
ness_logic_flaws.html<br />
• Toward Automated Detection of Logic Vulnerabilities in Web<br />
Applications - Viktoria Felmetsger Ludovico Cavedon Christopher<br />
Kruegel Giovanni Vigna - https://www.usenix.org/legacy/<br />
event/sec10/tech/full_papers/Felmetsger.pdf<br />
• 2012 Web Session Intelligence & Security Report: Business<br />
Logic Abuse, Dr. Ponemon - http://www.emc.com/collateral/<br />
rsa/silvertail/rsa-silver-tail-ponemon-ar.pdf<br />
• 2012 Web Session Intelligence & Security Report: Business<br />
Logic Abuse (UK) Edition, Dr. Ponemon - http://buzz.silvertailsystems.com/Ponemon_UK.htm<br />
OWASP Related<br />
• Business Logic Attacks – Bots and Bats, Eldad Chai - http://<br />
www.imperva.com/resources/adc/pdfs/AppSecEU09_BusinessLogicAttacks_EldadChai.pdf<br />
• OWASP Detail Misuse Cases - https://www.owasp.org/index.<br />
php/Detail_misuse_cases<br />
• How to Prevent Business Flaws Vulnerabilities in Web Applications,<br />
Marco Morana - http://www.slideshare.net/marco_morana/issa-louisville-2010morana<br />
Useful Web Sites<br />
• Abuse of Functionality - http://projects.webappsec.org/w/<br />
page/13246913/Abuse-of-Functionality<br />
• Business logic - http://en.wikipedia.org/wiki/Business_logic<br />
• Business Logic Flaws and Yahoo Games - http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html<br />
• CWE-840: Business Logic Errors - http://cwe.mitre.org/data/<br />
definitions/840.html<br />
• Defying Logic: Theory, Design, and Implementation of Complex<br />
Systems for Testing Application Logic -<br />
http://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation<br />
• Prevent application logic attacks with sound app security<br />
practices - http://searchappsecurity.techtarget.<br />
com/qna/0,289202,sid92_gci1213424,00.html?bucket=NEWS&topic=302570<br />
• Real-Life Example of a ‘Business Logic Defect - http://h30501.<br />
www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-<br />
Example-of-a-Business-Logic-Defect-Screen-Shots/bap/22581<br />
• Software Testing Lifecycle - http://softwaretestingfundamentals.com/software-testing-life-cycle/<br />
• Top 10 Business Logic Attack Vectors Attacking and Exploiting<br />
Business Application Assets and Flaws – Vulnerability Detection<br />
to Fix -<br />
http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper/<br />
and http://www.ntobjectives.com/files/<br />
Business_Logic_White_Paper.pdf<br />
Books<br />
• The Decision Model: A Business Logic Framework Linking Business<br />
and Technology, By Barbara Von Halle, Larry Goldberg, Published<br />
by CRC Press, ISBN1420082817 (2010)<br />
Test business logic data validation<br />
(OTG-BUSLOGIC-001)<br />
Summary<br />
The application must ensure that only logically valid data can be<br />
entered at the front end as well as directly to the server side of<br />
an application of system. Only verifying data locally may leave<br />
applications vulnerable to server injections through proxies or at<br />
handoffs with other systems. This is different from simply performing<br />
Boundary Value Analysis (BVA) in that it is more difficult<br />
and in most cases cannot be simply verified at the entry point,<br />
but usually requires checking some other system.<br />
For example: An application may ask for your Social Security<br />
Number. In BVA the application should check formats and semantics<br />
(is the value 9 digits long, not negative and not all 0’s) for<br />
the data entered, but there are logic considerations also. SSNs<br />
are grouped and categorized. Is this person on a death file? Are<br />
they from a certain part of the country?<br />
Vulnerabilities related to business data validation is unique in<br />
that they are application specific and different from the vulnerabilities<br />
related to forging requests in that they are more concerned<br />
about logical data as opposed to simply breaking the<br />
business logic workflow.<br />
The front end and the back end of the application should be verifying<br />
and validating that the data it has, is using and is passing<br />
along is logically valid. Even if the user provides valid data to an<br />
application the business logic may make the application behave<br />
differently depending on data or circumstances.<br />
Examples<br />
Example 1<br />
Suppose you manage a multi-tiered e-commerce site that allows<br />
users to order carpet. The user selects their carpet, enters the<br />
size, makes the payment, and the front end application has verified<br />
that all entered information is correct and valid for contact<br />
information, size, make and color of the carpet. But, the business<br />
logic in the background has two paths, if the carpet is in stock it<br />
is directly shipped from your warehouse, but if it is out of stock in<br />
your warehouse a call is made to a partner’s system and if they<br />
have it in-stock they will ship the order from their warehouse<br />
and reimbursed by them. What happens if an attacker is able to<br />
continue a valid in-stock transaction and send it as out-of-stock<br />
to your partner? What happens if an attacker is able to get in the<br />
middle and send messages to the partner warehouse ordering<br />
carpet without payment?<br />
Example 2<br />
Many credit card systems are now downloading account balances<br />
nightly so the customers can check out more quickly for<br />
amounts under a certain value. The inverse is also true. I<br />
f I pay my credit card off in the morning I may not be able to use<br />
the available credit in the evening. Another example may be if I<br />
use my credit card at multiple locations very quickly it may be