CWE - CWE-840: Business Logic Errors (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-840: Business Logic Errors

Business Logic Errors

Category ID: 840 (Category)

Status: Incomplete

Description

Description Summary

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application.

Extended Description

Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Observed Examples

Reference	Description
CVE-2010-4624	Bulletin board applies restrictions on number of images during post creation, but does not enforce this on editing.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	438	Behavioral Problems	Development Concepts (primary)699
ParentOf	Weakness Class	200	Information Exposure	Development Concepts699
ParentOf	Weakness Class	282	Improper Ownership Management	Development Concepts699
ParentOf	Weakness Class	285	Improper Authorization	Development Concepts699
ParentOf	Weakness Base	288	Authentication Bypass Using an Alternate Path or Channel	Development Concepts699
ParentOf	Weakness Base	408	Incorrect Behavior Order: Early Amplification	Development Concepts699
ParentOf	Weakness Base	596	Incorrect Semantic Object Comparison	Development Concepts699
ParentOf	Weakness Base	639	Authorization Bypass Through User-Controlled Key	Development Concepts699
ParentOf	Weakness Base	640	Weak Password Recovery Mechanism for Forgotten Password	Development Concepts699
ParentOf	Weakness Base	666	Operation on Resource in Wrong Phase of Lifetime	Development Concepts (primary)699
ParentOf	Weakness Class	696	Incorrect Behavior Order	Development Concepts (primary)699
ParentOf	Weakness Class	732	Incorrect Permission Assignment for Critical Resource	Development Concepts699
ParentOf	Weakness Class	754	Improper Check for Unusual or Exceptional Conditions	Development Concepts699
ParentOf	Weakness Base	770	Allocation of Resources Without Limits or Throttling	Development Concepts699
ParentOf	Weakness Class	799	Improper Control of Interaction Frequency	Development Concepts699
ParentOf	Weakness Base	841	Improper Enforcement of Behavioral Workflow	Development Concepts (primary)699

Research Gaps

The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles.

Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
WASC	42		Abuse of Functionality

References

Jeremiah Grossman. "Business Logic Flaws and Yahoo Games". 2006-12-08. October 2007. <http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html>.

Jeremiah Grossman. "Seven Business Logic Flaws That Put Your Website At Risk". October 2007. <http://www.whitehatsec.com/home/assets/WP_bizlogic092407.pdf>.

WhiteHat Security. "Business Logic Flaws". <http://www.whitehatsec.com/home/solutions/BL_auction.html>.

WASC. "Abuse of Functionality". <http://projects.webappsec.org/w/page/13246913/Abuse-of-Functionality>.

Rafal Los and Prajakta Jagdale. "Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic". 2011. <http://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation>.

Rafal Los. "Real-Life Example of a 'Business Logic Defect' (Screen Shots!)". 2011. <http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581>.

Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel and Giovanni Vigna. "Toward Automated Detection of Logic Vulnerabilities in Web Applications". USENIX Security Symposium 2010. August 2010. <http://www.usenix.org/events/sec10/tech/full_papers/Felmetsger.pdf>.

Faisal Nabi. "Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems". pages 29 - 41. International Journal of Network Security, Vol.12, No.1. 2011. <http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
2011-03-24		MITRE	Internal CWE Team
2011-03-24

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us