Business Logic Flaws

Business logic flaws allow attackers to abuse legitimate transactions or application flows. The main challenge with these flaws is that they are typically missed by scanners or other automated tools.

MITRE assigns CWE-840 to business logic flaws, more information about this can be found here. Examples of business logic flaws include:

• Unverified Ownership

• Authentication Bypass Using an Alternate Path or Channel

• Authorisation Bypass through User-Controlled Key

• Weak Password Recovery Mechanism for Forgotten Password

• Incorrect Ownership Assignment

• Allocation of Resources without Limits or Throttling

• Premature Release of Resource During Expected Lifetime

• Improper Enforcement of a Single, Unique Action

• Improper Enforcement of a Behavioral Workflow