Business Logic Errors
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be...
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly e...
The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in...
The software assigns an owner to a resource, but the owner is outside of the intended control sphere.
The program releases a resource that is still intended to be used by the program itself or another actor.
The software does not properly verify that a critical resource is owned by the proper entity.
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...
- Business Logic Flaws and Yahoo Games
- Seven Business Logic Flaws That Put Your Website At Risk
- Business Logic Flaws
- Abuse of Functionality
- Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic
Rafal Los, Prajakta Jagdale
- Real-Life Example of a 'Business Logic Defect' (Screen Shots!)
- Toward Automated Detection of Logic Vulnerabilities in Web Applications
USENIX Security Symposium 2010
- Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems
International Journal of Network Security, Vol.12, No.1
- Case Files from 20 Years of Business Logic Flaws