zBusiness logic flaws enable an attacker to use legitimate transactions and flows of an application in a way that results in a negative behavior or outcome. Most common business logic problems are different from the typical security vulnerabilities in an application (such as XSS, CSRF, and SQL injection). A challenge with business logic flaws is that they can’t typically be found by using scanners or other similar tools.
The likelihood of business logic flaws being exploited by threat actors depends on many circumstances. However, such exploits can have serious consequences. Data validation and use of a detailed threat model can help prevent and mitigate the effects of business logic flaws. OWASP offers recommendations on how to test and protect against business logic attacks at https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/01-Test_Business_Logic_Data_Validation ↗.
MITRE has assigned Common Weakness Enumeration (CWE) ID 840 (CWE-840) to business logic errors. You can obtain detailed information about CWE-840 at https://cwe.mitre.org/data/definitions/840.html ↗. That website also provides several granular examples of business logic flaws including the following:
- Unverified ownership
- Authentication bypass using an alternate path or channel
- Authorization bypass through user-controlled key
- Weak password recovery mechanism for forgotten password
- Incorrect ownership assignment
- Allocation of resources without limits or throttling
- Premature release of resource during expected lifetime
- Improper enforcement of a single, unique action
- Improper enforcement of a behavioral workflow