6. Business flow bypass
Applications include flows that are controlled by redirects and page transfers. However, in many cases, this flow can be bypassed, which can lead to an error condition or information leakage, which can help an attacker identify critical backend information. It's necessary to test whether business functionality and parameters can be tampered with through a proxy.
8. Identity or profile extraction
A critical parameter in authenticated applications, the user's identity is maintained using session or other forms of tokens. Attackers can identify these token parameters in poorly designed and developed applications, opening up the potential for abuse and systemwide exploitation. The token may only be using a sequential number or guessable username. To test for this, it's necessary to look for parameters that are controlling profiles; if it's possible to decipher, guess or reverse engineer tokens, the game is all but finished.
9. File or unauthorized URL access and business information extraction
Business applications contain critical information in their features, in the files that are exported and in the export functionality. Users can export their data in a selected file format (PDF, XLS or CSV) and download it. If this functionality is carelessly implemented, it can enable asset leakage. To test for this, it's necessary to identify call functionalities based on parameter names like file, doc, and dir, which will point you to possible unauthorized file-access vulnerabilities, and then a good test is doing basic brute force or guesswork to fetch another user's files from a server.
10. Denial of service (DoS) with business logic
Denial-of-service vulnerabilities for business applications pose serious issues because if exploited, the application can be brought down for a length of time or at a critical juncture. Sometimes attackers can identify a loophole and try to exploit it during a DoS condition. There are no universal DoS attacks like TCP flooding on networking at the application layer, but in some cases, infinite loops implemented in the application layer can lead to a DoS condition. It's important to test applications against a threat model and provide defense at the application layer.
In its report on the "Top 10 Business Logic Attack Vectors," NT OBJECTives says identifying business-logic flaws in custom-designed Web applications is not just a matter of automated scan testing but also a manual review of the application security and logic with "human intelligence."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.