Business Logic Flaws
Protect Your Unique Snowflake from the Dark Side
I haven’t always been a “business” guy. As a matter of fact, for a better part of my life I was a security researcher, security consultant, and a penetration tester. I worked at firms such as @Stake, Symantec, and Veracode, doing mostly offensive focused security research and consulting for Fortune 500 firms.
Executing in an offensive capacity taught me a lot about the mindset of attackers - how they think, what interests them, and ultimately what motivates them? My proximity to the “dark side” of attackers, coupled with my business experience in building security products and companies, gave me insights into what threats and risks really matter.
Injection Attacks — BORING!
As a penetration tester, we analyzed our clients’ applications, attempting to hack in and steal as much sensitive data as possible. We had a great hit rate, approaching 95% success. Most of the time, success came in the form of a SQL Injection or Cross Site Scripting (XSS) attack. It was so easy to locate and exploit these particular attack classes, that they quickly became a joke within our firm. The junior guys were tasked with the discovery of OWASP Top 10 injection attacks, saving the rewarding and fun work of finding more interesting attacks to the seasoned veterans. Most of the time, the rewarding attacks came in the form of business logic attacks.
Every App Is A Unique Snowflake
Business logic attacks are a class of attack that targets the business logic of an application, specifically where developers may be prone to making errors. These types of attack are the most fun and interesting to exploit because it’s extremely difficult to automate the detection of these flaws with a security scanner. Every application is a unique snowflake. Each snowflake has functionality, code and processes embedded into it that are only useful in the context of that particular application. For example, a banking application may contain functionality where you follow a process for setting up automatic bill pay:
Step 1: Set up the pay to account
Step 2: Confirm the pay to account set up via email
Step 3: Create an automated recurring payment to that account
It’s very difficult for an automated security scanner to check and secure this type of application feature. It’s unique to the application, requiring human thought to be able to complete the multi-step process. This is a perfect example of a code location where attackers will target the business logic. For example, step one might give an attacker the ability to setup a pay to account to give money to someone else, while step 2 is easily bypassed with a predictable URL, and maybe step three allows negative value payments to the “pay to” account, effectively crediting yourself with the money. Without going through the entire process as a human, a dynamic automated scanner will never find the vulnerabilities further down the logic chain.
Security Coverage Over Business Logic Attacks
Since it’s extremely difficult to proactively find business logic flaws without human intuition, the best way to provide protection and security is to monitor and respond to attacks by human actors. Application security technologies embedded into the source code or server instance provides security by looking at all indicators of attack, both attack signals and anomalous data, throughout the entire attack chain, in every step of the process. This way you gain the benefits of human automation of the attack models themselves coupled with security insight that is tightly tied to the heart of the application in real time.
A good web protection platform can create custom signals and protections for business logic processes as well as have access to historical norm data for both anomaly and malicious indicators of attack. If you see a spike in 500 errors, or an increase in response sizes post OWASP injection indicator, there is a good chance you are under attack. If you notice your customers having linked two bank accounts over 10 times in 60 seconds, there is a good chance you are under attack.
Security visibility and democratizing security data leads to a much more secure application layer. So, by integrating a web protection platform into your overall security operations center, and augmenting your security and development tool chains with security visibility, you will improve protection and intelligence to your security staff, making their jobs and lives significantly easier.
Ultimately, security teams interested in securing their applications must:
- Increase security visibility to augment the knowledge of the security operations center analyst. An analyst is the human expertise in finding and stopping attacks. Focus on decreasing the amount of time and energy it takes this team to locate and stop attacks against your applications via increased visibility with a web protection platform.
- Identify attack indicators specific to your business logic and implement visibility of the attack indicators, or the results, or BOTH. You must identify what the attack chain looks like and set up alerts and detections around that chain. In addition to preventative visibility and protection, alerting on results that indicate a successful attack will help for when you aren’t able to completely enumerate all upfront attack indicators.
Interested in chatting more? We will be at Black Hat/Def Con on July 25–28 in Las Vegas. Come talk to us at Booth #474, and see a demo of Signal Sciences Web Protection Platform (WPP) and how we can help you secure your entire application system.
WPP can be deployed in any application, platform, or language, providing both security visibility and real time protection. It provides out of the box detection for all modern attack chains and is extensible enough to support your unique business logic requirements.
