What is application logic?
Application logic describes the steps required, as defined by the application developer, to complete a particular action. An example of application logic would be a customer adding an item to an online shopping basket and then being required to provide a name, address and payment details before being able to complete the purchase. Application logic (also called business logic) doesn't refer to the general functionality of a Web server, but to the specific operations of the application's functionality, such as product discounts, postage pricing rules, etc. An application logic attack looks to circumvent or misuse the expected order of operations within an application's features. Generally, such attacks are aimed at a Web site, but they can also be targeted at a site's visitors and their private customer data.
How application logic attacks operate
Unlike common application attacks, such as SQL injection, each application logic attack is usually unique, since it has to exploit a function or a feature that is specific to the application. This makes it more difficult for automated vulnerability testing tools to detect such attacks because they are caused by flaws in the logic and not necessarily flaws in the actual code. When application logic attacks are successful, it is often because developers do not build sufficient process validation and control into the application. This lack of flow control allows attackers to perform certain steps incorrectly or out of order. For example, an online shopping cart application may offer a discount if product A is purchased. If the application does not ensure that product A is still in the shopping cart when payment is made, a malicious user could add product A to obtain the discount and then remove it in order to buy product B at an erroneously discounted price.
Application logic attack-types
A different type of logic attack occurs when an attacker repeatedly uses an application's functionality, such as the ability to create several thousand new accounts or posting repeated messages on discussion boards. This type of attack abuses a useful application with little or no modification to the original function. A real-life example of such an attack occurred in August 2005 on the Paradise Poker online gambling Web site. Based on time delays, some gamblers learned how to predict dealers' hands. This flaw allowed them to win a lot of money quite legally! Some application logic attacks can lead to denial of service or be used as a force multiplier. A force multiplier occurs when an attacker injects malicious cross-site scripting code into something like a Web-chat session, letting the application's broadcast function propagate the code throughout the site.
Application logic attacks: Preventative measures
The key to preventing application logic attacks is to perform a sanity check by validating business processes and design requirements at the start of the application development cycle. Web application developers also need to build security and flow control into applications right from the beginning. Unfortunately, many leave testing and security reviews until after the application has been created. Until more developers enforce coding standards and test code as soon as it's written, application logic attacks will continue to provide attackers with a profitable attack vector.
About the Author: This was first published in February 2007
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the bookIIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in February 2007