Vladislav Kochelaevs - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How do you prevent business logic flaws?

Our business is relying more and more on smart process applications to manage business-critical processes. This means application security is even more important than ever. What's your advice on ensuring not only that the code is secure, but that business logic is also secure? I want to ensure that the functionality as designed isn't exploitable.

There's no concise way of outlining how to test business logic for security flaws. Every application is unique in this regard. It's not unlike trying to tell a racecar driver how to go fast. With the numerous variables involving the car, the track, and the racer's driving style and mental state, it's a complex situation with no single good answer. Instead, there are a lot of small things that must be done -- and tested -- that will add up to an improved race craft, faster lap times and, in this case, more secure applications.

When it comes to vulnerable application logic, here are some areas I often discover as being weak and exploitable:

  • User provisioning and password change processes that can be manipulated.
  • Initial logins and how the application and workflow are presented to the user may allow for unauthorized access if the user simply hits "Esc" or clicks the back button in the Web browser.
  • Order and data entries that can be manipulated for ill-gotten gains.
  • Search queries that return interesting information that leads to different parts of the application that were otherwise unknown.
  • Directory enumeration for a logged-in user can uncover areas of the application that are actually publicly accessible (and can be exploited from the outside without a user ever logging in once it's discovered).
  • Role or privilege escalation that can be exploited by merely knowing where to go within the application.
  • Session hand-offs to separate (often third-party) applications that disclose how the authentication and session management work.
  • File upload areas that facilitate the spreading of malware on unprotected servers.

As you can see, much of this involves core application security principles such as authentication, access control, session management and input validation. It's really all related, but uncovering many business logic flaws takes a special way of thinking and a special eye that can look at the bigger picture.

Uncovering many business logic flaws takes a special way of thinking and a special eye that can look at the bigger picture.

Other things to consider when testing for business logic flaws:

  • Whether or not workflows and processes can be automated and then attacked using vulnerability scanners and scripts.
  • Testing both with and without user authentication. (You can often uncover publicly exploitable weaknesses that might otherwise go unnoticed to a logged-in user.)
  • Audit or exception logging and how anomalies are being monitored and addressed.

Application logic flaws can be detrimental to a business, and there's hardly a firewall or IPS system (including those that monitor layer 7) that will protect you from these types of exploits. It's something that needs to be tested for in your ongoing security assessments and penetration tests at least once per year or after any significant code changes.

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you secure your business logic?
There will always be the occasional misunderstandings or missed requirements. The way that we try to avoid these as much as possible is by closely involving our developers, QA and product owner in writing acceptance criteria and acceptance tests. When development and QA is completed, we do a demo with the product owner to make sure that the behavior is what they expected.