Do you really think you are secure? Well the answer to this question is somewhat complex when it comes to information security realm in cyberspace. With the ever increasing amount of attacks and vulnerabilities in software and applications, it is hard to track the security element.

The vulnerability pattern is shifting more towards application level and attackers are concentrating more on exploiting web applications rather system level insecurities. The high end attacks used to start with XSS and SQL injections, but the paradigm has shifted more towards business logic flaws.

Business logic is a term used to define any stature of working functionality in web application that impacts the business model. It consists of business rules and workflows. A workflow is defined as a generic sequence of operations that are required to complete one entity in a business process and companies talk about quality assurance of derived application software. The methodology of quality assurance (QA) process relates to verifying the working flow of code, which is defined by the developer.

The process ends here. However there is the possibility that the code could be made to perform certain functions which it does not intends to do. If this happens it means there is a virtual loophole in QA. One of the flaws with QA is that it can only check the possibility of code but does not sanitise the diversified affect if the code functionality is exploited by the attacker. This is the core of business logic flaws.

With the advent of web 2.0 framework the complexities in websites have increased. Due to this stringency the web applications are prone to business logic flaws and the code is made to work according to the wish of hackers - such as session fixation attacks. Other possible snapshots of this vulnerability are automated login attempts through brute forcing as most web applications do not have CAPTCHA implemented on the required login pages.

Even the account lockout policy is not effective when it is applied to certain functionality in web applications. It has been noticed that some websites use account lockout policy on time metrics. Once the time limit is over, the account can be used again so the code is doing what it is meant to do. But the logic is somewhat vulnerable. Another flaw comes into play with business transactions. Most of the web based transactions with credit cards, debit cards and so on move money from one account to another. 

The predictability of the URL pattern is the major source of problems while handling transactions and can lead to cross site request forging. This is where the user identifiers have predictable patterns which can be used by attacker to leverage lot of information from the system.

Even it is manipulated to initiate rogue action in the context of web application to change the functionality. In addition to that a number of websites dethrone the privacy rule thereby throwing lot of information on the website related to users. By combining these entire factors attacker exploit the logic in a wider sense.

The business logic flaws are equally shot process of logic and inherited vulnerability. The code defines the functional logic to be implemented in web application. This comes under BLL i.e. business logic layer. This layer defines the rule and calculations of functional modules in web applications. It is considered to be as engineering practice.

The BLL layer consists of business process, business entities and business objects required to specify the business needs. The same procedure has to be carried from theoretical environment to the application rule set i.e. web application structuring. Business logic rules and constructs are piled on top of each other in a never-ending string of complex CASE and IF statements.

The application works primarily on ingrained logic until the answer is obtained at the end and the rules are updated regularly based on the business needs. Should the rules change, the application is sent back to the developers for updating, which leads to downtime of an application thereby reducing the efficiency of an organisation. The cost to the organisation in down time and IT payroll can be enormous. The faulty logic can be devastating in terms of money and cost structure.

Another ingrained insecurity is that these flaws cannot be prevented by provision of infrastructure level security. This includes intrusion detection systems, firewalls and intrusion prevention systems. These security devices cannot explore the intrinsic weakness present in web application as result of applied logic. The vulnerability scanners cannot even trace logic flaws. This factor is really a hard roll because the core security devices failed to catch the culprit.

The business application should be modelled in such a way that it performs the same set of tasks as subjected to knowledge driven human being. This makes the ingrained logic effective. The knowledge object used in the business process of designing ebusiness websites should have business rules and business logic defined in an appropriate manner.

The software pushes the boundaries of completing tasks with speed and accuracy that humans are not able to perform with same degree. It is a business need to have standard methodology for business logic storage and retrieval which encapsulates the parameter of robust business. The business logic presents a huge and challenging problem and the vulnerabilities in the application are the result of insecure logic and development. The real pictures come in a way during implementation stage when testing is performed. 

The insecurities can be introduced in application design phase during SDLC but there is no generic and reasonable approach to identify them. The developers are dependant on application testers to spot the vulnerabilities persisted in the software or an application and secure coding is one of the most important aspect of application development.

While designing business applications the logic has to be structured accurately, if the logic goes wrong the application becomes vulnerable to logic flaws which cannot be circumvented through secure coding. Logic is considered to be as a core and if any parameter is constructed wrong, the business is on the verge of severe loss.

With money minded hackers increasing threats to websites, secured steps should be taken to mitigate risks. Secure coding plays a crucial role in combating attacks due to business logic. There is no doubt that quality assurance process is not sketching the curvature of security in business driven web applications.

The magic button is a good technique in combating flaws in business logic because anti pattern is generated and logic is defined on the user interface with the web application. Privacy should be left intact and no disclosure should be allowed through web application. Looking at the overall perspective business process modeling is good practice in a pre phase of application development.

Automated tests against defined business logic to check the consistency of web application through fuzzing, really hardens the functionality and make the application robust in nature.

Basically you need to make your business logic as simple as you can because simplicity has got complexity in its own terms. At last I would like to say that business logic flaw is a hidden website insecurity dark-horse. The aim is to stop this dark-horse from running hard towards final destination which points to ebusiness loss.

Aditya K Sood, SecNiche Security http://www.secniche.org

January 2009