This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Test number of times a function can be used limits (OTG-BUSLOGIC-005)

Revision as of 13:35, 16 December 2013 by David Fern (talk | contribs)

Jump to: navigation, search

Brief Description

Many of the problems that applications are solving require limits to the number of times a function can be used or action can be executed. Applications must be “smart enough” to not allow the user to exceed their limit on the use of these functions since in many cases each time the function is used the user may gain some type of benefit that must be accounted for to properly compensate the owner. For example: an ecommerce site may only allow a discount to be applied once, or some applications may be on a subscription plan an only allow users to download or upload three complete documents monthly.


Attackers may be able to circumvent the business logic and execute a function more times than “allowable” exploiting the application for personal gain.


Suppose an ecommerce site allows users to take advantage of any one of many discounts on their total purchase and then proceed to checkout and tendering. What happens of the attacker navigates back to the discounts page after taking and applying the one “allowable” discount? Can they take advantage of another discount?

Testing Method

• Study the applications logical requirements. • The user will find each place in the application that entries can be made or changed. • With this list the user will try to manipulate the application by exercising/using a function more than the allowable number of times.

Test Tools


Related Test Cases

4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)

4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)

4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)

4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)

4.13.5 Test size of request limits (OTG-DOS-005)


InfoPath Forms Services business logic exceeded the maximum limit of operations Rule -

Gold Trading Was Temporarily Halted On The CME This Morning -


The application should have checks to ensure that the business logic is being followed and that if a function can only be executed a certain number of times, when the limit is reached the user can no longer execute the function. To prevent users from using a function over the appropriate number of times the application may use mechanisms such as cookies to keep count or through sessions not allowing users to access to execute the function additional times.