Business Logic Flaws: Why they Matter

Business logic flaws are a special class of vulnerability that are not picked up by traditional scanners. They even are typically missed by the QA process in development, because they require someone who knows what they are looking for. These vulnerabilities are a weakness in how the application functions, in an unintentional way that exposes it to attacks, without necessarily being tied to a component.

It will be clearer with an example: imagine you have an application that has standard users and keeps data on those users. These users can view their information in their profile, and cannot normally access other user’s information. However, if the user were to make an API request using a different user ID, they were returned the other user’s data, that would be a business logic flaw. No part in the architecture is specifically vulnerable but when put together and used in an improper and unexpected manner, exposed the company to serious risk.

Business logic flaws are particularly dangerous because they often go unnoticed for long periods of time and when they are exploited typically result in sensitive data being lost. Most often these are authentication bypasses, privilege escalation, or data enumeration flaws. If the application handles sensitive data, this can result in a reportable incident which is costly and damaging to reputation and branding.

It is important to have neutral parties (those not familiar with the application) look for these and really try to find the weaknesses in the application. Most commonly these are found during pen tests or red team exercises, and to a much lower extent, during secure code reviews, as it is easier to find when the application is compiled and running. Importantly, it is important to test for these in production, as many features that are not available in QA/Dev/Staging can result in unexpected behavior.

Glassportal aids the discovery of business logic flaws by highlighting areas of high risk and directing attention to them. Our solution shows where a dangerous logic flaw may exist so your tests are especially diligent on that environment. Want to see how it works? Email demo@glassportal.io to find out.