No Exploit Required: How Attackers Exploit Business Logic Flaws

  /     /     /  
Publicated : 22/11/2024   Category : security


No Exploit Required: How Attackers Exploit Business Logic Flaws


NT Objectives lists the main vectors of attack that exploit not bugs, but weaknesses in an application



Cyberattacks dont always employ exploited vulnerabilities: Sometimes they prey on weaknesses in the business processes of an application -- so-called business-logic flaws.
Web application security software vendor and security-as-a-service provider NT Objectives today released a list of the top 10 business logic attack vectors out there. A business logic flaw, for example, would entail using a simple script to manipulate the results of an online poll, or a shopping cart app with logic errors that allow attackers to bypass authentication and not actually pay for items.
Dan Kuykendall, co-CEO and CTO of NT Objectives, says most Web application security tests can be automated, but testing for business logic flaws must be performed manually by a penetration test. He says his firm has witnessed several breaches that have used a business logic flaw to get hack an organization.
I dont think there is enough awareness of these flaws and attacks, Kuykendall says. The accessibility of Web applications tends to be a little easier to monitor the traffic and to try to exploit them via these flaws, he says.
The top 10 includes authentication flags and privilege escalations; critical parameter manipulation and access to unauthorized information/content; developers cookie-tampering and business process/logic bypass; LDAP parameter identification and critical infrastructure access; business constraint exploitation; business flow bypass; and exploiting clients side business routines embedded in JavaScript, Flash, or Silverlight; identity or profile extraction; file or unauthorized URL access and business information extraction; and denial of services (DoS) with business logic.
NT Objectives
Top 10 Business Logic Attack Vectors report is available here for download
. Business logic flaws are difficult to identify and discover. These flaws are unique to each application and must be discovered by manual testing. This paper is intended as a starting point to assist penetration testers with looking for these flaws as a part of their security reviews, according to NT Objectives report.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
No Exploit Required: How Attackers Exploit Business Logic Flaws