Unlike common application attacks, such as SQL injection, each application logic attack is usually unique, since...
it has to exploit a function or a feature that is specific to the application. This makes it more difficult for automated vulnerability testing tools to detect such attacks because they are caused by flaws in the logic and not necessarily flaws in the actual code. When application logic attacks are successful, it is often because developers do not build sufficient process validation and control into the application. This lack of flow control allows attackers to perform certain steps incorrectly or out of order. For example, an online shopping cart application may offer a discount if product A is purchased. If the application does not ensure that product A is still in the shopping cart when payment is made, a malicious user could add product A to obtain the discount and then remove it in order to buy product B at an erroneously discounted price.
A different type of logic attack occurs when an attacker repeatedly uses an application's functionality, such as the ability to create several thousand new accounts or posting repeated messages on discussion boards. This type of attack abuses a useful application with little or no modification to the original function. A real-life example of such an attack occurred in August 2005 on the Paradise Poker online gambling Web site. Based on time delays, some gamblers learned how to predict dealers' hands. This flaw allowed them to win a lot of money quite legally! Some application logic attacks can lead to denial of service or be used as a force multiplier. A force multiplier occurs when an attacker injects malicious cross-site scripting code into something like a Web-chat session, letting the application's broadcast function propagate the code throughout the site.
The key to preventing application logic attacks is to perform a sanity check by validating business processes and design requirements at the start of the application development cycle. Web application developers also need to build security and flow control into applications right from the beginning. Unfortunately, many leave testing and security reviews until after the application has been created. Until more developers enforce coding standards and test code as soon as it's written, application logic attacks will continue to provide attackers with a profitable attack vector.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
A web shell from the JexBoss security tool was used to exploit servers through an unpatched JBoss vulnerability. Expert Michael Cobb explains how to ...continue reading
The Android Trojan Triada has the ability to replace a device's system functions with its own. Expert Michael Cobb explains how to mitigate the ...continue reading
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.