While the industry is buzzing with XSS, SQLi, CSRF, browser insecurities, etc., Business Logic Flaws (pdf) is the website security dark horse no one talks much about. You know those all to common issues where you can jump into someone else’s online accounts or access confidential data with a normal looking request simply by flipping a few characters. Business Logic Flaws are challenging to discuss, prevent or even fix generically for that matter because they’re extremely website specific. We recently released a white paper that’s all real-world-example driven to help people begin thinking out of the box about their own websites. Snippet:
"Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved."
Examples I use:
1) Winning an Online Auction
2) “Interactive” T.V.
3) See Steve Jobs up close
4) Day trading contest for $1,000,000
5) The house almost always wins
6) Password Recovery
7) Making millions by trading on semi-public information