Summary
Testing for business logic flaws in a multi-functional dynamic web application requires thinking in unconventional methods. If an application’s authentication mechanism is developed with
the intention of performing steps 1, 2, 3 in that specific order to authenticate a user. What happens if the user goes from step 1 straight to step 3? In this simplistic example, does the applica- tion provide access by failing open; deny access, or just error out with a 500 message?
There are many examples that can be made, but the one con- stant lesson is “think outside of conventional wisdom”. This type of vulnerability cannot be detected by a vulnerability scanner and relies upon the skills and creativity of the penetration tester. In addition, this type of vulnerability is usually one of the hard- est to detect, and usually application specific but, at the same time, usually one of the most detrimental to the application, if exploited.
The classification of business logic flaws has been under-stud- ied; although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability research- ers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are vari- ations of well-known principles.
Testing of business logic flaws is similar to the test types used by functional testers that focus on logical or finite state testing. These types of tests require that security professionals think a bit differently, develop abused and misuse cases and use many of the testing techniques embraced by functional testers. Auto- mation of business logic abuse cases is not possible and remains a manual art relying on the skills of the tester and their knowl- edge of the complete business process and its rules.
Business Limits and Restrictions
Consider the rules for the business function being provided by the application. Are there any limits or restrictions on people’s behavior? Then consider whether the application enforces those rules. It’s generally pretty easy to identify the test and analysis cases to verify the application if you’re familiar with the busi- ness. If you are a third-party tester, then you’re going to have to use your common sense and ask the business if different opera- tions should be allowed by the application.
Sometimes, in very complex applications, the tester will not have a full understanding of every aspect of the application initially. In these situations, it is best to have the client walk the tester through the application, so that they may gain a better under- standing of the limits and intended functionality of the applica- tion, before the actual test begins. Additionally, having a direct line to the developers (if possible) during testing will help out greatly, if any questions arise regarding the application’s func- tionality.
Description of the Issue
Automated tools find it hard to understand context, hence it’s up to a person to perform these kinds of tests. The following two examples will illustrate how understanding the functionality of the application, the developer’s intentions, and some creative “out-of-the-box” thinking can break the application’s logic. The first example starts with a simplistic parameter manipulation, whereas the second is a real world example of a multi-step pro- cess leading to completely subvert the application.
path=/; domain=example.com; httponly Location: private/
X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Length: 0
Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Content-Type: text/html --- http://example.com/private GET /private HTTP/1.1 Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xm- l;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
Referer: https://secure.example.com/login Cookie: JSESSIONID=BD99F321233AF69593ED- F52B123B5BDA; Connection: keep-alive HTTP/1.1 200 OK Cache-Control: no-store Pragma: no-cache Expires: 0 Content-Type: text/html;charset=UTF-8 Content-Length: 730
Date: Tue, 25 Dec 2013 00:00:00 GMT
Example 1:
Suppose an e-commerce site allows users to select items to pur- chase, view a summary page and then tender the sale. What if an attacker was able to go back to the summary page, maintaining their same valid session and inject a lower cost for an item and complete the transaction, and then check out?
Example 2:
Holding/locking resources and keeping others from purchases these items online may result in attackers purchasing items at a lower price. The countermeasure to this problem is to implement timeouts and mechanisms to ensure that only the correct price can be charged.
Example 3:
What if a user was able to start a transaction linked to their club/ loyalty account and then after points have been added to their account cancel out of the transaction? Will the points/credits still be applied to their account?
Business Logic Test Cases
Every application has a different business process, application specific logic and can be manipulated in an infinite number of combinations. This section provides some common examples of business logic issues but in no way a complete list of all issues.
Business Logic exploits can be broken into the following cate- gories:
4.12.1 Test business logic data validation (OTG-BUSLOGIC-001)
In business logic data validation testing, we verify that the ap- plication does not allow users to insert “unvalidated” data into the system/application. This is important because without this safeguard attackers may be able to insert “unvalidated” data/in- formation into the application/system at “handoff points” where the application/system believes that the data/information is “good” and has been valid since the “entry points” performed data validation as part of the business logic workflow.
4.12.2 Test Ability to forge requests (OTG-BUSLOGIC-002)
In forged and predictive parameter request testing, we verify that the application does not allow users to submit or alter data to any component of the system that they should not have access to, are accessing at that particular time or in that particular man- ner. This is important because without this safeguard attackers may be able to “fool/trick” the application into letting them into sections of thwe application of system that they should not be allowed in at that particular time, thus circumventing the appli- cations business logic workflow.
4.12.3 Test Integrity Checks (OTG-BUSLOGIC-003)
In integrity check and tamper evidence testing, we verify that the application does not allow users to destroy the integrity of any part of the system or its data. This is important because without these safe guards attackers may break the business logic work- flow and change of compromise the application/system data or cover up actions by altering information including log files.
4.12.4 Test for Process Timing (OTG-BUSLOGIC-004)
In process timing testing, we verify that the application does not allow users to manipulate a system or guess its behavior based
on input or output timing. This is important because without this safeguard in place attackers may be able to monitor processing time and determine outputs based on timing, or circumvent the application’s business logic by not completing transactions or actions in a timely manner.
4.12.5 Test Number of Times a Function Can be Used Limits
(OTG-BUSLOGIC-005)
In function limit testing, we verify that the application does not allow users to exercise portions of the application or its func- tions more times than required by the business logic workflow. This is important because without this safeguard in place attack- ers may be able to use a function or portion of the application more times than permissible per the business logic to gain ad- ditional benefits.
4.12.6 Testing for the Circumvention of Work Flows (OTG-BUS-
LOGIC-006)
In circumventing workflow and bypassing correct sequence testing, we verify that the application does not allow users to perform actions outside of the “approved/required” business process flow. This is important because without this safeguard in place attackers may be able to bypass or circumvent work- flows and “checks” allowing them to prematurely enter or skip “required” sections of the application potentially allowing the action/transaction to be completed without successfully com- pleting the entire business process, leaving the system with in- complete backend tracking information.
4.12.7 Test Defenses Against Application Mis-use (OTG-BUS-
LOGIC-007)
In application mis-use testing, we verify that the application does not allow users to manipulate the application in an unin- tended manner.
4.12.8 Test Upload of Unexpected File Types (OTG-BUSLOG-
IC-008)
In unexpected file upload testing, we verify that the application does not allow users to upload file types that the system is not expecting or wanted per the business logic requirements. This is important because without these safeguards in place attackers may be able to submit unexpected files such as .exe or .php that could be saved to the system and then executed against the ap- plication or system.
4.12.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009)
In malicious file upload testing, we verify that the application does not allow users to upload files to the system that are ma- licious or potentially malicious to the system security. This is important because without these safeguards in place attackers may be able to upload files to the system that may spread virus- es, malware or even exploits such as shellcode when executed.
Tools
While there are tools for testing and verifying that business pro- cesses are functioning correctly in valid situations these tools are incapable of detecting logical vulnerabilities. For example, tools have no means of detecting if a user is able to circumvent the business process flow through editing parameters, predict- ing resource names or escalating privileges to access restricted resources nor do they have any mechanism to help the human
testers to suspect this state of affairs.
The following are some common tool types that can be useful in identifying business logic issues.
HP Business Process Testing Software
• http://www8.hp.com/us/en/software-solutions/software.ht-
ml?compURI=1174789#.UObjK3ca7aE
Intercepting Proxy - To observe the request and response blocks of HTTP traffic.
• Webscarab - https://www.owasp.org/index.php/Catego-
ry:OWASP_WebScarab_Project
• Burp Proxy - http://portswigger.net/burp/proxy.html
• Paros Proxy - http://www.parosproxy.org/
Web Browser Plug-ins - To view and modify HTTP/HTTPS headers, post parameters and observe the DOM of the Browser
• Tamper Data (for Internet Explorer) - https://addons.mozilla.
org/en-us/firefox/addon/tamper-data/
• TamperIE (for Internet Explorer) - http://www.bayden.com/
tamperie/
• Firebug (for Internet Explorer) - https://addons.mozilla.org/en- us/firefox/addon/firebug/ and http://getfirebug.com/
Miscellaneous Test Tools
• Web Developer toolbar - https://chrome.google.com/web-
store/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
• HTTP Request Maker - https://chrome.google.com/webstore/
detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
• Cookie Editor - https://chrome.google.com/webstore/detail/
fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
• Session Manager - https://chrome.google.com/webstore/de-
tail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multi- ple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its cre- ation time, i.e. the opened tabs and windows. Once a session is opened, the browser is restored to its state.
• Cookie Swap - https://chrome.google.com/webstore/detail/
dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
Swap My Cookies is a session manager, it manages your cookies, letting you login on any website with several different accounts. You can finally login into Gmail, yahoo, hotmail, and just any web-
site you use, with all your accounts; if you want to use another account just swap profile!
• HTTP Response Browser - https://chrome.google.com/web-
store/detail/mgekankhbggjkjpcbhacjgflbacnpljm?hl=en-US Make HTTP requests from your browser and browse the re- sponse (HTTP headers and source). Send HTTP method, headers and body using XMLHttpRequest from your browser then view the HTTP status, headers and source. Click links in the headers or body to issue new requests. This plug-in formats XML responses and uses Syntax Highlighter < http://alexgorbatchev.com/ >.
• Firebug lite for Chrome - https://chrome.google.com/web-
store/detail/bmagokdooijbeehmkpknfglimnifench
Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Fire- bug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elements with your mouse, and live editing CSS properties.
References Whitepapers
• Business Logic Vulnerabilities in Web Applications - http://www.google.com/url?sa=t&rct=j&q=BusinessLog- icVulnerabilities.pdf&source=web&cd=1&cad=rja&ved=0C- DIQFjAA&url=http%3A%2F%2Faccorute.googlecode. com%2Ffiles%2FBusinessLogicVulnerabilities.pdf&ei=2X- j9UJO5LYaB0QHakwE&usg=AFQjCNGlAcjK2uz2U87bT- jTHjJ-T0T3THg&bvm=bv.41248874,d.dmg
• The Common Misuse Scoring System (CMSS): Metrics for Soft-
ware Feature Misuse Vulnerabilities - NISTIR 7864 - http://csrc.
nist.gov/publications/nistir/ir7864/nistir-7864.pdf
• Designing a Framework Method for Secure Business Appli-
cation Logic Integrity in e-Commerce Systems, Faisal Nabi - http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12- n1-p29-41.pdf
• Finite State testing of Graphical User Interfaces, Fevzi Belli - http://www.slideshare.net/Softwarecentral/finitestate-test- ing-of-graphical-user-interfaces
• Principles and Methods of Testing Finite State Machines - A
Survey, David Lee, Mihalis Yannakakis - http://www.cse.ohio-
state.edu/~lee/english/pdf/ieee-proceeding-survey.pdf
• Security Issues in Online Games, Jianxin Jeff Yan and Hyun-Jin
Choi - http://homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf
• Securing Virtual Worlds Against Real Attack, Dr. Igor Muttik,
McAfee - https://www.info-point-security.com/open_down-
loads/2008/McAfee_wp_online_gaming_0808.pdf
• Seven Business Logic Flaws That Put Your Website At Risk
– Jeremiah Grossman Founder and CTO, WhiteHat Security - https://www.whitehatsec.com/resource/whitepapers/busi-
ness_logic_flaws.html
• Toward Automated Detection of Logic Vulnerabilities in Web
Applications - Viktoria Felmetsger Ludovico Cavedon Christo-
pher Kruegel Giovanni Vigna - https://www.usenix.org/legacy/
event/sec10/tech/full_papers/Felmetsger.pdf
• 2012 Web Session Intelligence & Security Report: Business
Logic Abuse, Dr. Ponemon - http://www.emc.com/collateral/
rsa/silvertail/rsa-silver-tail-ponemon-ar.pdf
• 2012 Web Session Intelligence & Security Report: Business
Logic Abuse (UK) Edition, Dr. Ponemon - http://buzz.silvertail-
systems.com/Ponemon_UK.htm
OWASP Related
• Business Logic Attacks – Bots and Bats, Eldad Chai - http://
www.imperva.com/resources/adc/pdfs/AppSecEU09_Busi- nessLogicAttacks_EldadChai.pdf
• OWASP Detail Misuse Cases - https://www.owasp.org/index.
php/Detail_misuse_cases
• How to Prevent Business Flaws Vulnerabilities in Web Applica-
tions, Marco Morana - http://www.slideshare.net/marco_mora- na/issa-louisville-2010morana
Useful Web Sites
• Abuse of Functionality - http://projects.webappsec.org/w/
page/13246913/Abuse-of-Functionality
• Business logic - http://en.wikipedia.org/wiki/Business_logic
• Business Logic Flaws and Yahoo Games - http://jeremiah-
grossman.blogspot.com/2006/12/business-logic-flaws.html
• CWE-840: Business Logic Errors - http://cwe.mitre.org/data/
definitions/840.html
• Defying Logic: Theory, Design, and Implementation of Complex
Systems for Testing Application Logic -
http://www.slideshare.net/RafalLos/defying-logic-busi- ness-logic-testing-with-automation
• Prevent application logic attacks with sound app se-
curity practices - http://searchappsecurity.techtarget.
com/qna /0,289202,sid92_gci1213424,00.html?buck- et=NEWS&topic=302570
• Real-Life Example of a ‘Business Logic Defect - http://h30501.
www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life- Example-of-a-Business-Logic-Defect-Screen-Shots/ba- p/22581
• Software Testing Lifecycle - http://softwaretestingfundamen-
tals.com/software-testing-life-cycle/
• Top 10 Business Logic Attack Vectors Attacking and Exploiting
Business Application Assets and Flaws – Vulnerability Detection to Fix -
http://www.ntobjectives.com/go/business-logic-attack-vec- tors-white-paper/ and http://www.ntobjectives.com/files/
Business_Logic_White_Paper.pdf
Books
• The Decision Model: A Business Logic Framework Linking Busi-
ness and Technology, By Barbara Von Halle, Larry Goldberg, Pub- lished by CRC Press, ISBN1420082817 (2010)
Test business logic data validation
(OTG-BUSLOGIC-001)
Summary
The application must ensure that only logically valid data can be entered at the front end as well as directly to the server side of an application of system. Only verifying data locally may leave applications vulnerable to server injections through proxies or at handoffs with other systems. This is different from simply per- forming Boundary Value Analysis (BVA) in that it is more difficult and in most cases cannot be simply verified at the entry point, but usually requires checking some other system.
For example: An application may ask for your Social Security Number. In BVA the application should check formats and se- mantics (is the value 9 digits long, not negative and not all 0’s) for the data entered, but there are logic considerations also. SSNs are grouped and categorized. Is this person on a death file? Are they from a certain part of the country?
Vulnerabilities related to business data validation is unique in that they are application specific and different from the vulner- abilities related to forging requests in that they are more con- cerned about logical data as opposed to simply breaking the business logic workflow.
The front end and the back end of the application should be ver- ifying and validating that the data it has, is using and is passing along is logically valid. Even if the user provides valid data to an application the business logic may make the application behave differently depending on data or circumstances.
Examples Example 1
Suppose you manage a multi-tiered e-commerce site that allows users to order carpet. The user selects their carpet, enters the size, makes the payment, and the front end application has ver- ified that all entered information is correct and valid for contact information, size, make and color of the carpet. But, the business logic in the background has two paths, if the carpet is in stock it is directly shipped from your warehouse, but if it is out of stock in your warehouse a call is made to a partner’s system and if they have it in-stock they will ship the order from their warehouse and reimbursed by them. What happens if an attacker is able to continue a valid in-stock transaction and send it as out-of-stock