Unlike common application attacks, such as SQL injection, each application logic attack is usually unique, since...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
it has to exploit a function or a feature that is specific to the application. This makes it more difficult for automated vulnerability testing tools to detect such attacks because they are caused by flaws in the logic and not necessarily flaws in the actual code. When application logic attacks are successful, it is often because developers do not build sufficient process validation and control into the application. This lack of flow control allows attackers to perform certain steps incorrectly or out of order. For example, an online shopping cart application may offer a discount if product A is purchased. If the application does not ensure that product A is still in the shopping cart when payment is made, a malicious user could add product A to obtain the discount and then remove it in order to buy product B at an erroneously discounted price.
A different type of logic attack occurs when an attacker repeatedly uses an application's functionality, such as the ability to create several thousand new accounts or posting repeated messages on discussion boards. This type of attack abuses a useful application with little or no modification to the original function. A real-life example of such an attack occurred in August 2005 on the Paradise Poker online gambling Web site. Based on time delays, some gamblers learned how to predict dealers' hands. This flaw allowed them to win a lot of money quite legally! Some application logic attacks can lead to denial of service or be used as a force multiplier. A force multiplier occurs when an attacker injects malicious cross-site scripting code into something like a Web-chat session, letting the application's broadcast function propagate the code throughout the site.
The key to preventing application logic attacks is to perform a sanity check by validating business processes and design requirements at the start of the application development cycle. Web application developers also need to build security and flow control into applications right from the beginning. Unfortunately, many leave testing and security reviews until after the application has been created. Until more developers enforce coding standards and test code as soon as it's written, application logic attacks will continue to provide attackers with a profitable attack vector.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.