This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ASVS V15 Business Logic Flaws"

From OWASP
Jump to: navigation, search
(Created page with "# V15: Business Logic Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * The business logi...")
 
Line 1: Line 1:
# V15: Business Logic Verification Requirements
+
V15: Business Logic Verification Requirements
  
## Control Objective
+
Control Objective
  
 
Ensure that a verified application satisfies the following high level requirements:
 
Ensure that a verified application satisfies the following high level requirements:
Line 10: Line 10:
  
  
## Security Verification Requirements
+
Security Verification Requirements
  
| # | Description | L1 | L2 | L3 | Since |
+
{| class="wikitable"
| --- | --- | --- | --- | -- | -- |
+
! # !! Description !! L1 !! L2 !! L3 !! Since |
| **15.1** | Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions. |  | ✓ | ✓ | 2.0 |
+
|-
| **15.2** | Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack. |  | ✓ | ✓ | 2.0 |
+
| 15.1 || Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions. ||| ✓ || ✓ || 2.0
 +
|-
 +
| 15.2 || Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack. ||| ✓ || ✓ || 2.0
 +
|}
  
  
 
+
References
## References
 
  
 
For more information, see also:
 
For more information, see also:

Revision as of 00:07, 6 November 2018

V15: Business Logic Verification Requirements

Control Objective

Ensure that a verified application satisfies the following high level requirements:

  • The business logic flow is sequential and in order
  • Business logic includes limits to detect and prevent automated attacks, such as continuous small funds transfers, or adding a million friends one at a time, and so on.
  • High value business logic flows have considered abuse cases and malicious actors, and have protections against spoofing, tampering, repudiation, information disclosure, and elevation of privilege attacks.


Security Verification Requirements

# Description L1 L2 L3
15.1 Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions. 2.0
15.2 Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack. 2.0


References

For more information, see also: