CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-841: Improper Enforcement of Behavioral Workflow

Weakness ID: 841
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

Extended Description

By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the software or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses.

For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the software might still perform the transfer.

Note that this is different than CWE-696, which focuses on when the software performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence.

Workflow-related behaviors include:

  • Steps are performed in the expected order.

  • Required steps are not omitted.

  • Steps are not interrupted.

  • Steps are performed in a timely fashion.

+ Common Consequences
ScopeEffect
Other

Technical Impact: Alter execution logic

An attacker could cause the software to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.

+ Demonstrative Examples

Example 1

This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files.

(Bad Code)
Example Language: Python 
def dispatchCommand(command, user, args):
if command == 'Login':
loginUser(args)
return
# user has requested a file
if command == 'Retrieve_file':
if authenticated(user) and ownsFile(user,args):
sendFile(args)
return
if command == 'List_files':
listFiles(args)
return
...

The server correctly does not send files to a user that isn't logged in and doesnt own the file. However, the server will incorrectly list the files in any directory without confirming the command came from an authenticated user, and that the user is authorized to see the directory's contents.

Here is a fixed version of the above example:

(Good Code)
Example Language: Python 
def dispatchCommand(command, user, args):
...
if command == 'List_files':
if authenticated(user) and ownsDirectory(user,args):
listFiles(args)
return
...
+ Observed Examples
ReferenceDescription
Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.
Attacker can access portions of a restricted page by canceling out of a dialog.
Ticket-tracking system does not enforce a permission setting.
Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.
Chain: product does not properly handle dropped connections, leading to missing NULL terminator (CWE-170) and segmentation fault.
Chain: Authentication bypass by skipping the first startup step as required by the protocol.
Chain: File server crashes when sent a "find next" request without an initial "find first."
FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.
FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory438Behavioral Problems
Development Concepts699
ChildOfWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts (primary)1000
ChildOfCategoryCategory840Business Logic Errors
Development Concepts (primary)699
ChildOfCategoryCategory8672011 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors (primary)900
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Research Gaps

This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses.

The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles.

Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC40Insufficient Process Validation
+ References
Jeremiah Grossman. "Business Logic Flaws and Yahoo Games". 2006-12-08. October 2007. <http://jeremiahgrossman.blogspot.com/2006/12/business-logic-flaws.html>.
Jeremiah Grossman. "Seven Business Logic Flaws That Put Your Website At Risk". October 2007. <http://www.whitehatsec.com/home/assets/WP_bizlogic092407.pdf>.
WhiteHat Security. "Business Logic Flaws". <http://www.whitehatsec.com/home/solutions/BL_auction.html>.
Rafal Los and Prajakta Jagdale. "Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic". 2011. <http://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation>.
Rafal Los. "Real-Life Example of a 'Business Logic Defect' (Screen Shots!)". 2011. <http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581>.
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel and Giovanni Vigna. "Toward Automated Detection of Logic Vulnerabilities in Web Applications". USENIX Security Symposium 2010. August 2010. <http://www.usenix.org/events/sec10/tech/full_papers/Felmetsger.pdf>.
Faisal Nabi. "Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems". pages 29 - 41. International Journal of Network Security, Vol.12, No.1. 2011. <http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-03-24MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, Observed_Examples, Relationships

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017