SlideShare a Scribd company logo
1 of 32
How to Prevent Business Flaws Vulnerabilities In Web Applications Marco Morana OWASP Cincinnati Chapter, January 2011 Meeting
What is OWASP?
OWASP Cincinnati Meetings, Tentative Calendar for 2011 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Agenda For Today’s Presentation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Business Logic Attacks
Business Logic Attacks: The Problem Statement ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Business Logic Attacks Examples
Bypassing Security Controls ?
Business Logic Flaws Categorized in 2 Groups ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerability Analysis of Business Logic Flaws
BLA From Risk Analysis Perspective ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Root Causes Of Business Logic Flaws ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Vulnerabilities Potentially Exploited By BLAs
1: BLAs Exploiting Authorization Flaws ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
2: BLAs Exploiting Authentication Flaws ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
3: BLAs Exploiting Mis-Configurations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
4: BLAs Exploiting Insufficient Anti-Automation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
5: BLAs Exploiting Insufficient Process Controls  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Identification and Mitigation of Business Logic Flaws
Business Logic In Web Application Architectures  Not All Business Logic Resides on the Application Server ! Beware of Web 2.0 Apps that include business logic client side (e.g. AJAX, Widgets, Mashups Beware of Flaws in Integration of Business Logic with Server Components
Security Process for Preventing Business Logic Flaws in Applications ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Identification Of Security Flaws: Application Threat Modeling Process
Data Flow Diagramming Spoofing And Tampering XML/HTTP Parameters Forceful browsing Threats to Application Business Logic  Spoofing And Tampering Web Service Calls Spoofing And Tampering Message Calls Spoofing And Tampering SQL Queries Elevation Of Privileges/ RBAC Misconfigurations
Security Flaws Identification With Use And Abuse Cases: Password Reset
Identification of Business Logic Flaws Using Transaction Analysis: Shopping Cart
Shopping Cart BLA Example Catalogue  Price:  $ 27.99 Charged Price: $.99
Testing For Occurrence of Business Logic Flaws ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Checking Configuration of Security And Business Rules
Possible Countermeasures Against BLAs ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Q & Q U E S T I O N S A N S W E R S
Thanks for listening, further references ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Further references con’t ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

More Related Content

What's hot

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey
 
Computer security basics
Computer security  basicsComputer security  basics
Computer security basics
Srinu Potnuru
 

What's hot (20)

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Application Security
Application SecurityApplication Security
Application Security
 
Security Assessment Plan (Template)
Security Assessment Plan (Template)Security Assessment Plan (Template)
Security Assessment Plan (Template)
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Malware
MalwareMalware
Malware
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Ransomware
RansomwareRansomware
Ransomware
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Kaynak Kod Analiz Süreci
Kaynak Kod Analiz SüreciKaynak Kod Analiz Süreci
Kaynak Kod Analiz Süreci
 
Computer security basics
Computer security  basicsComputer security  basics
Computer security basics
 

Similar to Security Exploit of Business Logic Flaws, Business Logic Attacks

Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
zakieh alizadeh
 
Hack applications
Hack applicationsHack applications
Hack applications
enrizmoore
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 

Similar to Security Exploit of Business Logic Flaws, Business Logic Attacks (20)

A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
C01461422
C01461422C01461422
C01461422
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Survey on detecting and preventing web application broken access control attacks
Survey on detecting and preventing web application broken access control attacksSurvey on detecting and preventing web application broken access control attacks
Survey on detecting and preventing web application broken access control attacks
 
Hack applications
Hack applicationsHack applications
Hack applications
 
Erp security1
Erp security1Erp security1
Erp security1
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Demand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docxDemand for Penetration Testing Services.docx
Demand for Penetration Testing Services.docx
 
Security Design Considerations In Robotic Process Automation.docx
Security Design Considerations In Robotic Process Automation.docxSecurity Design Considerations In Robotic Process Automation.docx
Security Design Considerations In Robotic Process Automation.docx
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part ii
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 

More from Marco Morana

Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
Marco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
Marco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
Marco Morana
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
Marco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
Marco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
Marco Morana
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
Marco Morana
 

More from Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 

Recently uploaded

Recently uploaded (20)

Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 

Security Exploit of Business Logic Flaws, Business Logic Attacks

Editor's Notes

  1. Business logic attacks are attacks target the application business logic such as the business rules that are specific for the application. These include for example rules for baking on-line In general when we talk of application security risks we refer to exploit of critical vulnerabilities such as exploit of the OWASP T10 such as injection flaws, XSS, Do not exploit common vulnerabilities such as XSS and SQL injection and broken authentication and session management. This vulnerabilities are usually rated critical because of the technical impact and the business impact that cause when are exploited. This is the same in the case of BLA since these attacks exploits flaws in the application business logic for commit fraud such as unauthorized financial transactions such as wire transfers, stealing user credentials to gain access to some else emails, and sensitive data as well as to damage the reputation of the company or individuals by posting false information for different reasons The problem with BLA is that the flaws that are exploited are very difficult to discover with VA/penetration testing since they DO NOT rely on known attack patterns and workflows pose the same level of risk to exploit of critical vulnerabilities
  2. Pump and dump " is a form of microcap stock fraud that involves artificially inflating the price of an owned stock through false and misleading positive statements, in order to sell the cheaply purchased stock at a higher price. Once the operators of the scheme "dump" their overvalued shares, the price falls and investors lose their money. Stocks that are the subject of pump-and-dump schemes are sometimes called "chop stocks". [1] While fraudsters in the past relied on cold calls , the Internet now offers a cheaper and easier way of reaching large numbers of potential investors. [1]
  3. In case of vulnerabilities that are application logic specific the commonality is in applications implementing same logic for example in the case of password management, use of MFA, weak enforecement of RBAC such as when relying on client side parameters and insufficient defenses against automations/bots designed to exploit the application business logic fr different reasons The most specific cases are the ones related to lack of strong validations for each step such a validation is required at step B to go to step C while step A is T&C a user can go directly from A to C can bypass any validation this is common independently
  4. It is important to differentiate between design flaws and secuirity bugs. Security flaws might have different root causes mostly due to design defects. Require manual analysis since tools do not have the contextual knowledge of the application since these lack the contextual knowledge of the application Security bugs can be identified via source code analysis and require developers knowledge of secure coding principles, can be driven by secure coding standards
  5. There are different ways to categorize the most common vulnerabilities, OWASP is famous for the T10 we also have WASC and SANS-25 most common software security errors. It is possible to map these. The vulnerabilities that are exploited by BLA include broken authentication and session management, misconfiguration also failutre to restrict URL access WAASC insufficient authorization. A new one that does not map is insuffcient anti-automation. On the right end side you have improper authorization that is one of the main consequences that is security control bypass All these vulnerabilities inn one way or another can be used for exploit business logic and business logic attacks
  6. Authorization issues stem for lack of enforcement of role base access controls such as enforcement of the policy rules sometimes handled as configuration at the application server to restrict access to resources such as web pages and transactions. Lack of this enforcement allow attackers to elevate privileges. Forceful browsign is probably the easer way to perform BLA attacks Other casses include manipulation of URL paramters such us unique ID that are used for query transactions and incurrectly also to enforce permissions. The main root causes are: RBAC logic is not enforced server side bur rely on parapemeters RBAC does nto cover at granular level all users and trasnactions that the users can perform and resources that can access. This might be du to problem in design and integration of business logic at the application layer
  7. Flaws on the workflows for password resets and userID reminders, lack of locking for failed attempts, weak check for origination identification Risk Based Authentication (RBA) is not configured to challenge users for all high risk transactions (e.g. password reset is not challenged with extra authentication) MFA failing insecurely when primary MFA fails since is not backed up by secondary MFA (e.g. KBA fails)
  8. Configuration management process lacks validation that rules for business policy are properly configured in the application to enforce authorization and authentication Flaws on the workflows for password resets and userID reminders, lack of locking for failed attempts, weak check for origination identification Risk Based Authentication (RBA) is not configured to challenge users for all high risk transactions (e.g. password reset is not challenged with extra authentication) MFA failing insecurely when primary MFA fails since is not backed up by secondary MFA (e.g. KBA fails)
  9. Most of business logic attacks are carried out by malware and automation scripts. These scripts are tailor made to attack the application transactions such as for example can target forms where the user is asked to enter validate his credit card#, CVV, security work, Pin the script run by the attacker has gained such data from black market but to know if is valid it will use the application to validate expecially PINs. In the case of bank trojans a typical attacks is the one to alter the flow of high risk transactions such as wire transfers to request the victim to enter data in a extra form. Also this attacks change the buttons being clicked by the application UI to perform un-authorized transactions. Other attacks include overloading processes for denial of servce such as sending a lot of registrations for online credentials/accounts or by locking accounts to cause flooding of request to call centers and deny service the regular users
  10. Workflow requires validation at UI-A to move to UI-B and then validate again to UI-C but attacker can move from UA-A to UI-B directly. This might allow for example to order the shipping of an item without checking if has been purchased Some times the sequence of events of a transaction can eb altered such as by calling back end logic such as messages out of sequence. This might allow to bypass validations if these messages can be executed without a previous validation or because the session is not properly maintained across tiers
  11. It is important to have security requirements and a process for mitigating BLA. For a start, it is important to document the business logic of the application this can be done through business requirements supported by transaction flows. Document who can do each trasnaction and the privileges that are given to each resource. Using secure architecture to identify flaws in the application architecture that can be used for bypass controls and access control policy are crititcal. Threat modeling techniques ito identify flaws in the business logic nclude data flow analysis and use and misuse cases Even if an application is designed securely that does not mean that implementation and configuration issues can still lead to business logic flaws and vulnerabilities. Devise a suite of tests for BLA attacks is very important as well as to test for common vulnerabilities that can be exploited for BLA. These need to be tested as aprt of manual penetration tests of the application As for any vulnerability being identfied it is important to rank the severity or risk posed by the vulnerability and therefore it is possible to apply the appropriate risk mitigation
  12. From secure architecture perspective we need to ask where the application business logic resides not all business logic resides on the logic tioer. Web 2.0 are more exposed to application attacks since allow to incorporate business logic on the client, this should be avoided, for example not to allow transaction logic built into The JS on the client. Also integration of third party applications might expose to business logic attacks on the client when the client talks directly with APIs served by third party (see Google Map API) or when authenticated pages frame third party services
  13. From threat analysis perspective it is important to analyze threats to the business logic of the application from the perspective of the application architecture This view allow to visualize the end to end architecture and the threats affecting the different assets and data flow elements. In particular BLA are possible because of threats to the communication tiers sich as by spoofing the communication channel or by tampering parameters. Since the application server is where the BL resides it is target for elevation of privileges Enforce Role Base Access Controls Ensure that RBAC is enforced on the server side to enforce which user has access to which web page Do not use security by obscurity No HIDDEN parameters to enforce which web pages are accessible Enforce white list filtering to which web pages should be accessible Only allow file types that you intend to serve, block any attempts to access log files, xml files, etc.
  14. Definition : Defining use and abuse cases is the foundation of the security requirement phase in which security requirements are developed. Abuse cases are instrumental to elicit requirements for security controls and for testing these controls.
  15. Shopping cart allow user to browse catalogues as un-authorized per-authenticated user role or vistor and add items ina shopping cart. When it is decided to purchase an item tor checking our from shopping cart the user is required to log on and enter a valid credit card number as well as shipping address. A cart like this can be attaked in due main stages. One is when the items are added for checkout since the price can be altered before the items is pusrchaes. The second is to attack the purchase of the item when the shipping data is already entered and eventially is possible to bypass he checkout credit card step. This might occu by forceful browsing or by exploiting flaws such as lack of flags validation that can be tampered in transit by the attacker.
  16. HIDDEN Parameter Manipulation Exploit http://www.coolcart.com/jewelrystore.html Look for HIDDEN values that contain business sensitive information (e.g. price) in the web page The price charged for the “Two Stone Feather Ring” is now 99 cents
  17. This example shows how ACM is enforced for the EASPI http://www.owasp.org/index.php/ESAPI_Access_Control. This policy should be taken as reference to test business logic attacks such as for elevation of privileges or escalation of privileges. It is important to keep this policy under strict change management cotnrol
  18. A suite of tests for BLA is probably the best bang for the back you can have against BLA. These tests can be derived from use and misue cases where usually the happy and unhappy paths are documented. In particular the focus of these tests is to test critical bypass of authentication and authorization controls, parameter and check validations as well as session managekent tests and anit-automation tests
  19. Once business logic vulnerabilities are identified, either as design flaws during threat modeling or during security tests or manual penetration tests it is important that these are assigned a risk value. The assigned of a risk value to a vulnerability can be done using risk factors. The one shown hereina re the ones used by OWASP risk methodology that include factors for how the attack vector can be exploited, how the vulnerability or flaws is prevalent, how easy to detect and what the technical impact is. An exploit is more risk when is easy to exploit and common as exploit vs, is diffcult to exploit and is rare as vulnerability.A vulnerabiity that is easy to detect is also less risky vulnerabiloity that is not easy to detect. The overall impavt can be SEVERE to MODERTE This ratings put here ar the everage of the previously dealt vulnerabilities such as OWASP A3, A4, A8
  20. Finally by ranking the vulnerabilities it is possible to determine the mitigation strategy. In general BLAs need a defense in depth approach that includes deterrent controls 9reduce the likelihood of the attack) preventive (reduce the impact) detective (detect the attack) and compensating (can reduce risk in presence of gaps/exploits in other controls)