BANGALORE, INDIA: Today, when the whole security industry is concentrating itself on major and well known web applications attacks, malicious hackers are finding out constructively new ways to exploit web applications. They are now leaving tracks of traditional ones like SQL injection, XSS attacks, CSRF and HTTP related attacks and are increasingly focusing on exploiting the logic behind web applications. Such attacks are commonly termed as business logic attacks.

A majority of business logic attacks have got an upper hand on automated security tools such as scanners, web application firewalls (WAFs), intrusion detection/prevention systems (IDS/IPS). That's because such automated security is designed mostly to test what software should do and not what they can be made to do.

Moreover, all HTTP requests that are made for business logic attacks appear completely normal and hence WAFs fail to recognize them. Here, we focus on such business logic attacks, how hackers exploit them, and finally, how to defeat them with effective security.

Why Business Logic?

The first and most obvious question is why is this new category of attacks termed this way and what does it really mean.

Wikipedia defines business logic as a non-technical term generally used to describe the functional algorithms which handle information exchange between a database and a user interface. It is distinguished from input/output data validation and product logic. Business logic models real life business objects such as accounts, loans, itineraries, and inventories. It also prescribes how business objects interact with one another.

Application or business logic refers to the behavior that is defined directly by the developer, ie it is not the general functionality that is provided as a part of the application server platform such as authentication, but rather the application-specific operations that define the application functionality such as item pricing rules, usage flows, presentation layout, etc. Henceforth, application logic attacks are characterized by the exploitation of a function or a feature that is specific to the application. They are different from one incident to another, based on the way they exploit the application.

Click here to continue reading!