Insufficient Process Validation


Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-40

 

Insufficient Process Validation

Insufficient Process Validation occurs when a web application fails to prevent an attacker from circumventing the intended flow or business logic of the application. When seen in the real world, insufficient process validation has resulted in ineffective access controls and monetary loss.

There are two main types of processes that require validation: flow control and business logic.

 

"Flow control" refers to multi-step processes that require each step to be performed in a specific order by the user. When an attacker performs the step incorrectly or out of order, the access controls may be bypassed and an application integrity error may occur. Examples of multi-step processes include wire transfer, password recovery, purchase checkout, and account sign-up.

 

"Business logic" refers to the context in which a process will execute as governed by the business requirements. Exploiting a business logic weakness requires knowledge of the business; if no knowledge is needed to exploit it, then most likely it isn't a business logic flaw.[1] Due to this, typical security measures such as scans and code review will not find this class of weakness. One approach to testing is offered by OWASP in their Testing Guide.[2]

 

Flow Control Examples

 

Business Logic Examples

 

Additional Examples

 

References

OWASP: Business logic vulnerability

[1] http://www.owasp.org/index.php/Business_logic_vulnerability

 

OWASP: Testing for business logic (OWASP-BL-001)

[2] http://www.owasp.org/index.php/Testing_for_business_logic

 

Yahoo SEM Logic Flaw

[3] http://ha.ckers.org/blog/20080616/yahoo-sem-logic-flaw/

 

Tower Records Tunes Its Site

[4] http://www.storefrontbacktalk.com/story/021005tower.php

 

Youtube’s 18+ Filters Don’t Work

[5] http://www.darkseoprogramming.com/2008/06/01/youtubes-18-filters-dont-work/

 

Paris and Lindsay Hacked Again (There’s a Lesson Here, Really)

[6] http://blogs.wsj.com/biztech/2008/06/03/paris-and-lindsay-hacked-again-theres-a-lesson-here-really/

 

Apple and AT&T providing free Wi-Fi access to iPhone users and oops… to everyone else as well!

[7] http://blogs.zdnet.com/security/?p=1067

 

Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'

[8] http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html

 

Woman admits to exploiting glitch on QVC site

[9] http://www.msnbc.msn.com/id/21534526/

 

New eBay Fraud

[10] http://www.schneier.com/blog/archives/2009/03/new_ebay_fraud.html

 

Web Hacking Incidents Database (WHID): Insufficient Process Validation

[11] http://whid.webappsec.org/whid-list/Insufficient+Process+Validation