CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (3.0)  
ID

CWE CATEGORY: Business Logic Errors

Category ID: 840
Status: Incomplete
+ Summary
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
+ Notes

Research Gap

The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles.

Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.

+ References
[REF-795] Jeremiah Grossman. "Business Logic Flaws and Yahoo Games". 2006-12-08. <http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html>.
[REF-796] Jeremiah Grossman. "Seven Business Logic Flaws That Put Your Website At Risk". 2007-10. <http://www.whitehatsec.com/home/assets/WP_bizlogic092407.pdf>.
[REF-797] WhiteHat Security. "Business Logic Flaws". <http://www.whitehatsec.com/home/solutions/BL_auction.html>.
[REF-799] Rafal Los and Prajakta Jagdale. "Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic". 2011. <http://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation>.
[REF-667] Rafal Los. "Real-Life Example of a 'Business Logic Defect' (Screen Shots!)". 2011. <http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581>.
[REF-801] Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel and Giovanni Vigna. "Toward Automated Detection of Logic Vulnerabilities in Web Applications". USENIX Security Symposium 2010. 2010-08. <http://www.usenix.org/events/sec10/tech/full_papers/Felmetsger.pdf>.
[REF-802] Faisal Nabi. "Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems". pages 29 - 41. International Journal of Network Security, Vol.12, No.1. 2011. <http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-03-24CWE Content TeamMITRE
Modifications
Modification DateModifierOrganizationSource
2017-01-19CWE Content TeamMITRE
updated Relationships
2017-11-08CWE Content TeamMITRE
updated Description, Observed_Examples, References, Taxonomy_Mappings

More information is available — Please select a different filter.
Page Last Updated: November 15, 2017