Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application.
Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
The classification of business logic flaws has been under-studied,
although exploitation of business flaws frequently happens in real-world
systems, and many applied vulnerability researchers investigate them. The
greatest focus is in web applications. There is debate within the community
about whether these problems represent particularly new concepts, or if they
are variations of well-known principles.
Many business logic flaws appear to be oriented toward business processes,
application flows, and sequences of behaviors, which are not as
well-represented in CWE as weaknesses related to input validation, memory