Manage Learn to apply best practices and optimize your operations.

What are application logic attacks?

In 2005, application logic flaws allowed alert, Web-savvy gamblers the chance to win a lot of money. In this tip, application security expert Michael Cobb examines these types of vulnerabilities and how they can lead to application attacks.

What are application logic attacks and what kinds of damage can they do to users?
Application logic describes the steps required, as defined by the application developer, to complete a particular action. An example of application logic would be a customer adding an item to an online shopping basket and then being required to provide a name, address and payment details before being able to complete the purchase. Application logic (also called business logic) doesn't refer to the general functionality of a Web server, but to the specific operations of the application's functionality, such as product discounts, postage pricing rules, etc. An application logic attack looks to circumvent or misuse the expected order of operations within an application's features. Generally, such attacks are aimed at a Web site, but they can also be targeted at a site's visitors and their private customer data.

Unlike common application attacks, such as SQL injection, each application logic attack is usually unique, since it has to exploit a function or a feature that is specific to the application. This makes it more difficult for automated vulnerability testing tools to detect such attacks because they are caused by flaws in the logic and not necessarily flaws in the actual code. When application logic attacks are successful, it is often because developers do not build sufficient process validation and control into the application. This lack of flow control allows attackers to perform certain steps incorrectly or out of order. For example, an online shopping cart application may offer a discount if product A is purchased. If the application does not ensure that product A is still in the shopping cart when payment is made, a malicious user could add product A to obtain the discount and then remove it in order to buy product B at an erroneously discounted price.

A different type of logic attack occurs when an attacker repeatedly uses an application's functionality, such as the ability to create several thousand new accounts or posting repeated messages on discussion boards. This type of attack abuses a useful application with little or no modification to the original function. A real-life example of such an attack occurred in August 2005 on the Paradise Poker online gambling Web site. Based on time delays, some gamblers learned how to predict dealers' hands. This flaw allowed them to win a lot of money quite legally! Some application logic attacks can lead to denial of service or be used as a force multiplier. A force multiplier occurs when an attacker injects malicious cross-site scripting code into something like a Web-chat session, letting the application's broadcast function propagate the code throughout the site.

The key to preventing application logic attacks is to perform a sanity check by validating business processes and design requirements at the start of the application development cycle. Web application developers also need to build security and flow control into applications right from the beginning. Unfortunately, many leave testing and security reviews until after the application has been created. Until more developers enforce coding standards and test code as soon as it's written, application logic attacks will continue to provide attackers with a profitable attack vector.

More information:

  • Use threat modeling to improve Web application security.
  • See how software flaws affect Web applications.
  • This was last published in January 2007

    Dig Deeper on Web application and API security best practices