Business Logic ErrorsID: 840 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: category | Status: INCOMPLETE |
Description
Weaknesses in this category identify some of the underlying
problems that commonly allow attackers to manipulate the business logic of an
application.
Extended DescriptionErrors in business logic can be devastating to an entire application. They
can be difficult to find automatically, since they typically involve
legitimate use of the application's functionality. However, many business
logic errors can exhibit patterns that are similar to well-understood
implementation and design weaknesses.
Applicable PlatformsNone
Common ConsequencesNone
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-840 ChildOf CWE-438 | Category | CWE-699 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2010-4624 : Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
WASC | 42 | Abuse of Functionality | |
References:
- Jeremiah Grossman .Business Logic Flaws and Yahoo Games. 2006-12-08. Published on October 2007.
- Jeremiah Grossman .Seven Business Logic Flaws That Put Your Website At
Risk. Published on October 2007.
- WhiteHat Security .Business Logic Flaws.
- WASC .Abuse of Functionality.
- Rafal Los Prajakta Jagdale .Defying Logic: Theory, Design, and Implementation of Complex
Systems for Testing Application Logic. Published on 2011.
- Rafal Los .Real-Life Example of a 'Business Logic Defect' (Screen
Shots!). Published on 2011.
- Viktoria Felmetsger Ludovico Cavedon Christopher Kruegel Giovanni Vigna .Toward Automated Detection of Logic Vulnerabilities in Web
Applications. USENIX Security Symposium 2010. Published on August 2010.
- Faisal Nabi .Designing a Framework Method for Secure Business Application
Logic Integrity in e-Commerce Systems. International Journal of Network Security, Vol.12,
No.1. Section:'pages 29 - 41'. Published on 2011.