What are business logic vulnerabilities?
Business logic vulnerabilities are the result of faulty application logic. These vulnerabilities are specific to the functionality or domain of particular web applications, and thus, they are extremely difficult to find automatically by AST (Application Security Testing) tools.
Business logic attacks do not contain malformed requests and that is why it is difficult (if not impossible) to define a general specification that allows for the discovery of logic vulnerabilities in different applications. This is why they are not identified by scanners or IDS, and many Web application firewalls also can not defend them.
As Jeremiah Grossman (founder and CTO of WhiteHat Security) said:
“Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved.”
Testing of business logic flaws
It is more difficult to automate of business logic vulnerability testing tools because each application logic attack is unique.
As we can see in OWASP web page, “testing of business logic flaws is similar to the test types used by functional testers that focus on logical or finite state testing. These types of tests require that security professionals think a bit differently, develop abused and misuse cases and use many of the testing techniques embraced by functional testers. Automation of business logic abuse cases is not possible and remains a manual art relying on the skills of the tester and their knowledge of the complete business process and its rules.”
The solution: Information Flow Control System implemented by HDIV
Even though other kinds of web risks such as SQL Injection or XSS, are very easy to solve once they are detected, business logic vulnerabilities do not work in that way and require in many cases the review of the whole application. At the same time, the solutions to apply in this level, such as instance level security (see for example Spring Security Domain Object Security (ACLs)) are very difficult to apply and would cause performance issues in many cases.
Taking into account that business logic vulnerabilities are not possible to detect, and they are really complex to solve, HDIV offers an additional security layer to the application, solving the root cause of all business logic vulnerabilities.
These kind of vulnerabilities have something in common, as these kind of attacks are made on the client side manipulating data generated at the server side. HDIV limits the interaction of end users, avoiding the manipulation of data and protecting in consequence from those kind of risks.
Basically HDIV applies the following security features to solve domain dependant web risks:
- A4 Insecure Direct Object Reference – HDIV web information flow control system control all the data generated at server side ensuring the integrity of the data generated at server side. In addition to that and optionally is possible to ensure the confidentiality of the data generated at server side avoiding the exposition of critical (such as credit cards, etc.). Learn more.
- A7 Missing function level access control – Thanks to the information flow control system implemented by HDIV, all the resources (links and forms) exposed by the application are controlled by HDIV and in this way the original contract offered by the server can not be broken.
- A10 Unvalidated redirects and forwards – HDIV controls all the data sent by the server and doesn’t allow the redirection to malicious web sites.