• Support Plus   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Onsite Training
  •    Guidelines
  •    Building Secure Web Applications
  •    Adv. Secure Coding for Java
  •    Adv. Secure Coding for .NET
  • e-Learning
  •    Intro to Web App Security
  •    Secure Coding for Java
  •    Secure Coding for .NET
  •    Threat Modeling
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
  
  
  
  • Sentinel Videos
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Sentinel Videos

Website Security Whitepaper

Seven Business Logic Flaws That Put Your Website At Risk

Download a Complimentary Copy of this Whitepaper ›››

Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. There are many forms of business logic vulnerabilities commonly exploited by attackers. These vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hardly a winning trifecta. Plus, the more sophisticated and Web 2.0 feature rich a website, the more prone it is to have flaws in business logic due to the complexities involved.

As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws. Following are real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of a website. We’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.

Winning an Online Auction

Class: Abuse of Functionality

An on-line auction website prevents attackers from guessing the passwords of users by temporarily locking accounts that receive too many failed attempts (5 tries) in a given amount of time. Once an account is locked, the attacker (or the user) must wait for a timeout to expire (1 hr) before attempting to login again. Account locking is one of several techniques used to slow down brute force attacks.

Once logged-in, users are able to browse items being auctioned and view who bid on what. To place a bid, a user is asked for their password to verify their intent, which prevent unintended bids and also stops Cross-Site Request Forgery attacks. The bidding process is tied into the login security system to deny password guessing in this area, as well.

Can you spot the security problem?
If a malicious user wanted to place competing bidders at a disadvantage and improve their odds of winning an auction, they could, easily. To do so, they’d start by bidding on the item early and at a low price. When/if someone placed a higher bid, the malicious user would respond not only by bidding slightly higher, but also by running a sustained login brute force attack against that user’s account. The result: The user would be unable to bid on the item because their account would be purposely locked by the attacker, since the bidding system is tied to the login security system. The malicious user would continue this attack for anyone who attempted to bid higher until the auction ends. The malicious user is not guaranteed to win, but locking out competitive bidders certainly improves the odds, while retaining their ability to drop out of the running at any time.

Solution

• Do not display user names on the website. This not only increases user privacy, but also prevents an attacker from knowing which bidder they need/want to lockout.
  
  
• As an alternative to an account lockout, a CAPTCHA system may be employed if an account has received too many failed login attempts. This method has the benefit of preventing brute force attacks, without the potential side effect of locking out legitimate users who are making bids.
  
  
• Online auctions may allow sellers to specify a minimum bid price before they must sell the item. So, if an attacker used the method described to get an unreasonable price, they are not guaranteed to get the item.