This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Test number of times a function can be used limits (OTG-BUSLOGIC-005)

From OWASP
Revision as of 03:34, 17 December 2013 by David Fern (talk | contribs)

Jump to: navigation, search

Brief Description

Many of the problems that applications are solving require limits to the number of times a function can be used or action can be executed. Applications must be “smart enough” to not allow the user to exceed their limit on the use of these functions since in many cases each time the function is used the user may gain some type of benefit that must be accounted for to properly compensate the owner. For example: an ecommerce site may only allow a discount to be applied once, or some applications may be on a subscription plan an only allow users to download or upload three complete documents monthly.

Vulnerabilities related to the limits to the number of times a function can be used is unique in that this type of logic is application specific and misuse cases should be created that strive to exercise parts of the application of functions more that “allowed”.

Issue

Attackers may be able to circumvent the business logic and execute a function more times than “allowable” exploiting the application for personal gain.

Example

Suppose an ecommerce site allows users to take advantage of any one of many discounts on their total purchase and then proceed to checkout and tendering. What happens of the attacker navigates back to the discounts page after taking and applying the one “allowable” discount? Can they take advantage of another discount?

Testing Method

• Review the project documentation and use exploratory testing looking for functions or features in the application or system that should not be executed more that a single time during the business logic workflow.

• For each of the functions and features found that should only be executed a single time during the business logic workflow, develop abuse cases that may be allow a user to execute them multiple times. For example, can a user navigate back and forth through he pages multiple times executing a function that should only execute once?

Test Tools

None

Related Test Cases

4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)

4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)

4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)

4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)

4.13.5 Test size of request limits (OTG-DOS-005)

References

InfoPath Forms Services business logic exceeded the maximum limit of operations Rule - http://mpwiki.viacode.com/default.aspx?g=posts&t=115678

Gold Trading Was Temporarily Halted On The CME This Morning - http://www.businessinsider.com/gold-halted-on-cme-for-stop-logic-event-2013-10

Remediation

The application should have checks to ensure that the business logic is being followed and that if a function can only be executed a certain number of times, when the limit is reached the user can no longer execute the function. To prevent users from using a function over the appropriate number of times the application may use mechanisms such as cookies to keep count or through sessions not allowing users to access to execute the function additional times.