Business Logic Flaws

Overview

Business logic flaws are those in which the functionality implemented in the site does not operate as intended. It can result in a number of site-specific security problems.

What makes a site vulnerable?

A site may be vulnerable to business logic flaws if the site's requirements or design are flawed or incorrectly implemented.

Impact of the attack

The impact of the attack will depend on the nature of the site. It may for instance allow an attacker to bypass security checks or payment processes.

Preventing the attack

The site's requirements and design should be analysed for logical flaws. Then the implementation should be reviewed to ensure that it correctly implements the design.

The attack in the real world

A non-website security example of a business logic flaw is that which allows drive-thru customers to get free fast-food.
In October 2007, Google Docs was affected by a business logic flaw in which the sessions were not checked on some requests for documents, allowing arbitrary documents to be captured.

Website Security Book

Security for websites, web-applications and web-services