This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "ASVS V15 Business Logic Flaws"

Jump to: navigation, search
(Fixed table, made the content readable.)
Line 1: Line 1:
== V15: Business Logic Verification Requirements ==
'''Control Objective:'''
| type=delete
| comment=Tagged via fixme/delete.
Ensure that a verified application satisfies the following high level requirements:
* The business logic flow is sequential and in order
* Business logic includes limits to detect and prevent automated attacks, such as continuous small funds transfers, or adding a million friends one at a time, and so on.
* High value business logic flows have considered abuse cases and malicious actors, and have protections against spoofing, tampering, repudiation, information disclosure, and elevation of privilege attacks.
'''Security Verification Requirements:'''
{| class="wikitable"
! # !! Description !! L1 !! L2 !! L3 !! Since |
| 15.1 || Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions. ||  || ✓ || ✓ || 2.0
| 15.2 || Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack. ||  || ✓ || ✓ || 2.0
For more information, see also:
* [OWASP Testing Guide 4.0: Business Logic Testing ](
* [OWASP Cheat Sheet](

Latest revision as of 16:46, 7 November 2018

This page has been recommended for deletion.
You can help OWASP by improving it or discussing it on its Talk page. See FixME
Comment: Tagged via fixme/delete.