Logic Vulnerabilities

Overview

Business logic vulnerabilities, also known as logic flaws or application logic vulnerabilities, are a set of vulnerabilities that exploits flaws in an application. This often times allow an attacker to achieve unexpected behaviour and potentially manipulate the functionality of this application.

Example

Because of the variety of this term, it can be quite difficult to explain it. Almost every application has such logic vulnerabilities, where a function will break under certain circumstances. However one of the simplest examples is:

An application has a function to check if a product can be bought even without going through the intendend purchase workflow. This potentially allows an attacker to buy a product without needing to pay money for this.

Preventing logic flaws

This will be a very vague list of keys to prevent logic flaws. Generally the best way to prevent such vulnerabilities is through education of the developers. This means that a developer should understand the code as good as possible. He also should be aware of the area of application and if it is feasable to test edge cases. With this in mind, here is a list:

• Developers and testers should understand the domain that the application serves
• Avoid making assumptions about the user behaviour
• Maintain clear design documents, noting any assumptions made
• Write code as clearly as possible
• Think about side-effects