CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-840: Business Logic Errors

 
Business Logic Errors
Category ID: 840 (Category)Status: Incomplete
+ Description

Description Summary

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application.

Extended Description

Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

+ Observed Examples
ReferenceDescription
Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory438Behavioral Problems
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class200Information Exposure
Development Concepts699
ParentOfWeakness ClassWeakness Class282Improper Ownership Management
Development Concepts699
ParentOfWeakness ClassWeakness Class285Improper Authorization
Development Concepts699
ParentOfWeakness BaseWeakness Base288Authentication Bypass Using an Alternate Path or Channel
Development Concepts699
ParentOfWeakness BaseWeakness Base408Incorrect Behavior Order: Early Amplification
Development Concepts699
ParentOfWeakness BaseWeakness Base596Incorrect Semantic Object Comparison
Development Concepts699
ParentOfWeakness BaseWeakness Base639Authorization Bypass Through User-Controlled Key
Development Concepts699
ParentOfWeakness BaseWeakness Base640Weak Password Recovery Mechanism for Forgotten Password
Development Concepts699
ParentOfWeakness BaseWeakness Base666Operation on Resource in Wrong Phase of Lifetime
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class696Incorrect Behavior Order
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class732Incorrect Permission Assignment for Critical Resource
Development Concepts699
ParentOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Development Concepts699
ParentOfWeakness BaseWeakness Base770Allocation of Resources Without Limits or Throttling
Development Concepts699
ParentOfWeakness ClassWeakness Class799Improper Control of Interaction Frequency
Development Concepts699
ParentOfWeakness BaseWeakness Base841Improper Enforcement of Behavioral Workflow
Development Concepts (primary)699
+ Research Gaps

The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles.

Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC42Abuse of Functionality
+ References
Jeremiah Grossman. "Business Logic Flaws and Yahoo Games". 2006-12-08. October 2007. <http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html>.
Jeremiah Grossman. "Seven Business Logic Flaws That Put Your Website At Risk". October 2007. <http://www.whitehatsec.com/home/assets/WP_bizlogic092407.pdf>.
WhiteHat Security. "Business Logic Flaws". <http://www.whitehatsec.com/home/solutions/BL_auction.html>.
Rafal Los and Prajakta Jagdale. "Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic". 2011. <http://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation>.
Rafal Los. "Real-Life Example of a 'Business Logic Defect' (Screen Shots!)". 2011. <http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581>.
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel and Giovanni Vigna. "Toward Automated Detection of Logic Vulnerabilities in Web Applications". USENIX Security Symposium 2010. August 2010. <http://www.usenix.org/events/sec10/tech/full_papers/Felmetsger.pdf>.
Faisal Nabi. "Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems". pages 29 - 41. International Journal of Network Security, Vol.12, No.1. 2011. <http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-03-24MITREInternal CWE Team
Page Last Updated: July 30, 2014