How to detect business logic vulnerabilities?
In the day and age of the internet where more than half the world population is online, it has become indispensable for businesses to go online too.
As businesses are increasingly going online, they face a number of different threats and vulnerabilities. Business logic vulnerability is one such major vulnerability that causes severe damage to business reputation and heavy financial losses. Before we get into the detection of business logic vulnerabilities, let us understand more about it.
Understanding business logic vulnerabilities
What we, as users, see and interact with as far as software or websites or computer program are concerned is the user interface (UI). On the other end, there are the database and software systems. Business logic creates workflows to connect and pass information between these two parts.
It is the set of codes, commands and algorithms based on company rules and carrying business objects that make the computer program or software or website work with the users/ customers. That is, when the customer/ user clicks on something, the program has to provide an appropriate response and carry out the necessary actions, and business logic is behind this.
At times, there could be overlapping theories being input into the program which creates gaps or errors in the business logic. These gaps, errors and overlaps are what create business logic vulnerability. One of the reasons this vulnerability arises is because the business decision-makers are not able to completely comprehend the implications of the decisions being taken on their program/ application.
Hackers and attackers look for and exploit these circumstantial security weaknesses of the application/ program. These attacks are often stealthy and do not come as malformed requests; they use legitimate values and sometimes may not even be illegal. So, they do not come in the notice of the business unless there is a heavy monetary loss or theft happening.
Take the example of an online auction house. Suppose the auction takes place in a timed manner, an auction sniper could use Business Logic Bots (BLBs) to monitor the bids of all other bidders, placing the winning bid at the last possible moment and giving no time for others to outbid him/her.
Another example using the same online auction house is that the attacker knows that 3 wrong login attempts would lead to the account being suspended for a timed auction. So, the attacker could use the ID of the other bidders to enter the wrong password thrice to lock all their accounts and place the winning bid.
Detecting Business Logic Vulnerabilities
There are 3 rules of applications/ programs that need to be regularly assessed to find business logic flaws:
- Money-related application logic that deals with monetary transactions, shipping fee, discount, refund, etc.
- Time-related application logic that deals with user sessions, timeouts, etc. are handled.
- Process-related application logic that deals with a business’ internal applications/ programs used for human resources management, procurement, warehousing, etc.
These business logic flaws and vulnerabilities cannot be detected using universal and regular security solutions or automated application/ web security scanners since these are specific flaws in the business logic of a particular program or application.
When complex theories or business ideas overlap, the gaps become very difficult to detect and mitigate using these universal solutions because the sophisticated cyber criminals of today can find ways to go unnoticed by the automated security scanner.
As discussed earlier, they use legitimate values to launch attacks or breach into the system using the business logic paradoxes. Then, what is the solution? How do we detect business logic vulnerabilities?
Through human expertise!
Businesses must identify the flaws before the hackers do. This is possible only through human expertise and understanding of the business. A managed security scanning system would be the best-suited to detect such vulnerabilities.
In a managed security system, the automated scanners and other technology are embedded into the source code to effectively identify the top OWASP threats, anomalous activity and attack signals while the security experts will analyse your business functions and the impact on the applications/ programs.
The security experts and analysts will have to use unconventional thinking to detect business logic flaws. Then, using their creativity and unconventional thinking, they engage in penetration testing of their client’s web application or program. Once the business logic vulnerabilities are identified, appropriate protection and mitigation processes are put in place.
In conclusion, the key to detecting business logic vulnerabilities is human expertise, intuition and understanding of the business.