This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Abuse of Functionality"

From OWASP
Jump to: navigation, search
Line 5: Line 5:
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
  
 +
Abuse of functionality, sometimes referred to as business logic attacks involve the design and implementation for application functions and features.  As functionality is added to applications thought must be given to how the function or feature can be manipulated to circumvent the business process.
 +
 +
Some examples include:
 +
*Cookie Manipulation
 +
*Predictive parameters
 +
*Process timing
 +
*Lack of Data verification
 +
*Premature approval
 +
*Lack of process verification
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
Line 20: Line 29:
  
 
=== Custom Code Solution ===
 
=== Custom Code Solution ===
All features should have defined abuse cases and implemented protections against these abuses.  
+
All functions and features of the application should be evaluated and tested against Use and Abuse cases to discover/uncover ways that potential attackers can use the application’s own functionality to circumvent the intended business process logic.  
  
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
 
+
Although there are some generic functionality to look for, uncovering abuse of functionality vulnerabilities can be difficult and is application specific since every application is different and each implements its functions and features differently. For this reason this type of testing is similar functional testing.
  
  
Line 33: Line 42:
  
 
[https://www.owasp.org/index.php/Category:Abuse_of_Functionality OWASP Category: Abuse of Functionality]<br>
 
[https://www.owasp.org/index.php/Category:Abuse_of_Functionality OWASP Category: Abuse of Functionality]<br>
 +
 +
[https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet OWASP Business Logic Cheat Sheet]<br>
 +
 +
[https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP-BL-001)  OWASP Testing Guide – Testing for business Logic (OWASP-BL-001)]<br>

Revision as of 11:25, 6 June 2013

Return to Periodic Table Working View

Abuse of Functionality

Root Cause Summary

Abuse of functionality, sometimes referred to as business logic attacks involve the design and implementation for application functions and features. As functionality is added to applications thought must be given to how the function or feature can be manipulated to circumvent the business process.

Some examples include:

  • Cookie Manipulation
  • Predictive parameters
  • Process timing
  • Lack of Data verification
  • Premature approval
  • Lack of process verification

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

None

Custom Framework Solution

None

Custom Code Solution

All functions and features of the application should be evaluated and tested against Use and Abuse cases to discover/uncover ways that potential attackers can use the application’s own functionality to circumvent the intended business process logic.

Discussion / Controversy

Although there are some generic functionality to look for, uncovering abuse of functionality vulnerabilities can be difficult and is application specific since every application is different and each implements its functions and features differently. For this reason this type of testing is similar functional testing.


References

WASC Abuse of Functionality

CAPEC – 210: Abuse of Functionality>

OWASP Category: Abuse of Functionality

OWASP Business Logic Cheat Sheet

OWASP Testing Guide – Testing for business Logic (OWASP-BL-001)