ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Requesting Clarifying Definition in the Business Logic Section Header

Open craig-shony opened this issue 1 year ago • 4 comments

I think Section 11: Business Logic could use a basic definition. I'll include a first iteration- In the context of application security, business logic refers to how security controls protect business rules from being bypassed or abused

craig-shony avatar Feb 12 '24 19:02 craig-shony

Good idea. Here is my first cut of a definition:

Business logic in application security refers to the customized rules and processes that safeguard an application in accordance with its specific requirements or the needs of the business it serves. These rules dictate various aspects such as user interactions, data handling, and system behavior, tailored to suit the unique characteristics of each application, business, or industry.

Some examples of business logic vulnerabilities:

Business Rule: Products should only be provided to customers after their transactions are successfully verified to prevent loss due to fraud or non-payment. Vulnerability: If an attacker can manipulate the application to deliver a product before the purchase is verified, there's a risk of providing goods without receiving payment, leading to financial losses for the business.

Business Rule: High-value transactions above a certain threshold should be manually reviewed to ensure accuracy, legitimacy, and compliance with business policies. Vulnerability: If an attacker can manipulate the application to skip the review process for high-value transactions, then fraudulent or erroneous transactions may go unnoticed, increasing the risk of financial losses or compliance violations.

jmanico avatar May 05 '24 12:05 jmanico

There are some things to keep in mind:

  • We have a goal to reduce chapter texts as much as possible
    • See https://github.com/OWASP/ASVS/wiki/Roadmap-to-version-5.0#streamlined-document
  • The same style must be through the document. If one paragraph contains some extra and educative text, it is expected from other paragraphs as well.

For all extra texts there must exist clear goals - why it exists, what (potential) confusion it eliminates, or what (potential) problem it solves.

elarlang avatar May 05 '24 13:05 elarlang

@elarlang I believe the added text makes sense and is not too long, I agree that before the draft we will need to decide how much text we want there and ensure there is consistency

tghosth avatar May 19 '24 06:05 tghosth

Good idea. Here is my first cut of a definition:

Business logic in application security refers to the customized rules and processes that safeguard an application in accordance with its specific requirements or the needs of the business it serves. These rules dictate various aspects such as user interactions, data handling, and system behavior, tailored to suit the unique characteristics of each application, business, or industry.

Some examples of business logic vulnerabilities:

Business Rule: Products should only be provided to customers after their transactions are successfully verified to prevent loss due to fraud or non-payment. Vulnerability: If an attacker can manipulate the application to deliver a product before the purchase is verified, there's a risk of providing goods without receiving payment, leading to financial losses for the business.

Business Rule: High-value transactions above a certain threshold should be manually reviewed to ensure accuracy, legitimacy, and compliance with business policies. Vulnerability: If an attacker can manipulate the application to skip the review process for high-value transactions, then fraudulent or erroneous transactions may go unnoticed, increasing the risk of financial losses or compliance violations.

I like @jmanico's first cut definition and examples. Examples for this is something very useful to reinforce the definition. This seems good to me.

csfreak92 avatar Sep 24 '24 05:09 csfreak92

For https://github.com/OWASP/ASVS/blob/master/5.0/en/0x19-V11-BusLogic.md

@elarlang in the interest of reducing section text, would you to reduct the intro text and only leave the control objective section (and delete the rest?)

Control Objective

Ensure that a verified application satisfies the following high-level requirements:

  • The business logic flow is sequential, processed in order, and cannot be bypassed.
  • Business logic includes limits and controls to detect and prevent automated attacks, such as continuous small funds transfers and adding a million friends one at a time.
  • High-value business logic flows have considered abuse cases and malicious actors, and have protections against spoofing, tampering, information disclosure, and elevation of privilege attacks.

jmanico avatar Nov 19 '24 20:11 jmanico

For me it makes sense and is enough (as written here: https://github.com/OWASP/ASVS/issues/1869#issuecomment-2094801760), but here are other opinions supporting the longer version. But especially for now, current (long) version does not feel aligned with the rest of the document.

elarlang avatar Nov 20 '24 15:11 elarlang

I agree to move to the shorter version so we are more in-line with the rest of the document. If you give me to go Elar I'll do a PR.

jmanico avatar Nov 23 '24 20:11 jmanico

As I said before, for me it is ok, it was more question for other who liked the longer version.

elarlang avatar Nov 24 '24 01:11 elarlang

If it's ok with you, then I'll just go to PR.

jmanico avatar Nov 29 '24 16:11 jmanico

Feels like in the loop already :) How many confirmations you need? Go for the PR :)

elarlang avatar Nov 29 '24 16:11 elarlang