This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

ASVS V15 Business Logic Flaws

Revision as of 00:07, 6 November 2018 by Tonimir Kisasondi (talk | contribs)

Jump to: navigation, search

V15: Business Logic Verification Requirements

Control Objective

Ensure that a verified application satisfies the following high level requirements:

  • The business logic flow is sequential and in order
  • Business logic includes limits to detect and prevent automated attacks, such as continuous small funds transfers, or adding a million friends one at a time, and so on.
  • High value business logic flows have considered abuse cases and malicious actors, and have protections against spoofing, tampering, repudiation, information disclosure, and elevation of privilege attacks.

Security Verification Requirements

# Description L1 L2 L3
15.1 Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions. 2.0
15.2 Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack. 2.0


For more information, see also: