NT OBJECTives Identifies Top 10 Business Logic Attack Vectors
Findings to Assist Penetration Testers on How to Attack and Exploit Vulnerabilities as a Part of the Security Review Process
NT OBJECTives, a provider of automated, comprehensive and accurate web application security software, services and SaaS, today released a new white paper, Top 10 Business Logic Attack Vectors to arm penetration testers with specific instructions, real-world examples and code-snippets for testing and exploiting the most common business logic types of vulnerabilities.
“The concept of business logic vulnerabilities is not new, what is new and concerning is that these vulnerabilities are common, dangerous and are too often untested. Security experts need to know that these must be tested manually and must not be overlooked,” says Dan Kuykendall, Co-CEO and CTO of NT OBJECTives. “It is imperative to complement automated testing process with a human discovery of security risks that can be exploited by manipulating the business logic. For this reason, we offer our SaaS customers the option of adding business logic testing to their automated scans. Simply put, humans are better at identifying critical behavioral patterns.”
Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application.
In a web application, the business logic is the intended behavior and the functionality that governs the core of what the application does. Some high level examples of business logic are customer purchase orders, banking queries, wire transfers or online auctions. Business logic is also defined in more specific rules such as which users are allowed to see what and how much users are charged for various items.
Currently, a high percentage of web application security tests can be automated and are automated by high quality application scanning software products. Business logic, however, will always need to be tested manually because it requires an understanding of the logic of the application. Business logic flaws defy easy categorization and can be more art than science to discover. If undiscovered, they can result in serious compromise of internal and external applications, even in applications with safeguards such as authentication and authorization controls.
For example, in the case of an online store application where customers add items to their shopping cart, the application sends the customers to a secure payment gateway where they submit their order. To complete the order, customers are required to make a credit card payment. In this shopping cart application, business logic errors may make it possible for attackers to bypass the authentication processes to directly log into the shopping cart application and avoid paying for “purchased” items. This type of business logic flaw is among the 10 most common types.
The common most business logic flaws include:
- Authentication flags and privilege escalations
- Critical parameter manipulation and access to unauthorized information/content
- Developer’s cookie tampering and business process/logic bypass
- LDAP parameter identification and critical infrastructure access
- Business constraint exploitation
- Business flow bypass
- Identity or profile extraction
- File or unauthorized URL access & business information extraction
- Denial of Services (DoS) with business logic
The NT OBJECTives research team determined these 10 logic flaws as being most common through years of experience testing applications. In additional to outlining the most common business logic flaws and how to test and exploit them, the paper details how an application security effort can be more effective by augmenting automated vulnerability assessment solutions within depth manual penetration testing techniques.
For more information or to download the complete paper visit http://www.ntobjectives.com/go/business-logic-attack-vectors-white-paper
About NT OBJECTives
NT OBJECTives, Inc has been dedicated to solving the most difficult application security challenges for over 10 years. NTO’s software, SaaS and services solutions are designed to help organizations build the most comprehensive, efficient, accurate web application security program. NTO’s SaaS offering, NTOSpider On-Demand, can be augmented with enhanced services including false positive validation and business logic testing. NT OBJECTIVES is privately held with headquarters in Irvine, CA.