There's not a lot of information out there on business logic vulnerabilities. I challenge you to try it, go to google right now and search "business logic vulnerabilities". You will find a very good article on it from portswigger and from owasp but they are very limited and don't explain the concepts very well in my opinion. Today i'm going to talk to you about logic, what it is, how it can go wrong and how can test for logic issues. I do believe logic is something you can train and there are things you can do to help improve this process.
We will go over all of these things and much more, so let's not waste any more time and dive right in!
Our logic is always flawed it's as simple as that. There's nothing wrong with this either, we as humans simple suck at forseeing all the possible issues that could arise. We develop many different risk mitigation strategies but you know as well as me that ruling out all the risk is impossible because we simple can't forsee all the possible variables that play into a situation.
In business situation, we have the same issue. Whether it be banking, a shoe store or a company that sells websites, they all run into the same issues. We all run into the same issues in our daily lifes. I'm going to give you a simple thought experiment to demonstrate.
What i have in front of me:
When i ask the people for instructions on how to make a sandwhich, a few things will get called forward. Before you read on, i want you to think about how you would tell me to make a sandwhich.
I would tell a person of average intelligence to make a sandwhich by putting the knife in the jar and smearing it on the bread but now i want you to imagine explaining this to a person who never held a knife before. Who never opened a jar before. Who never even heard of a sandwhich before. This is why logic issues arise.
We are often using software of which we do have some basic idea's so in a way you can compare us users as caveman with very basic knowledge of tool usage, but suddenly they gave you a tablesaw. Now you have made stone tools yourself and you do know how to use those but this magical thing you've never seen before, that's new to you.
It's the exact same thing with software, we are using this software and even regular users will have trouble and couse unintended behaviour. This behaviour may not always lead to a flaw and definitly not always to a security flaw but it does occur quite often. Much more often than people think.
Now that we know what we understand under the meaning logic, we can also talk about how vulnerabilities arise. In recent times, everything needs to go faster and faster with the coming up of agile development methodologies but these issues have existed for ages! We humans suck at prediciting the consequences of our actions and even if we could forsee all of our actions, we can't take into account what others will do.
There's inherent risk in working on a software program over multiple weeks, months or even weeks. Everyone who has come into contact with software development will be able to confirm this, the longer a project runs for, the more changes it undergoes. Those changes can be in staff by hiring new members and removing workers that have a lot of knowledge. They can also be in strategy, for example if the project becomes too big for one person to handle, an analyst might be hired and a software tester which do require a change in structure.
This risk can be mitigated but in my opinion, there are a couple of ways a business logic vulnerability can sneak in: