Business Logic Errors

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Weaknesses

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be...

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Improper Enforcement of a Single, Unique Action

The software requires that an actor should only be able to perform an action once, or to have only one unique action, but the software does not enforce or improperly e...

Improper Enforcement of Behavioral Workflow

The software supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in...

Incorrect Ownership Assignment

The software assigns an owner to a resource, but the owner is outside of the intended control sphere.

Premature Release of Resource During Expected Lifetime

The program releases a resource that is still intended to be used by the program itself or another actor.

Unverified Ownership

The software does not properly verify that a critical resource is owned by the proper entity.

Weak Password Recovery Mechanism for Forgotten Password

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Concepts

Software Development

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...

See Also

  1. Business Logic Flaws and Yahoo Games

    Jeremiah Grossman

  2. Seven Business Logic Flaws That Put Your Website At Risk

    Jeremiah Grossman

  3. Business Logic Flaws

    WhiteHat Security

  4. Abuse of Functionality

    WASC

  5. Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic

    Rafal Los, Prajakta Jagdale

  6. Real-Life Example of a 'Business Logic Defect' (Screen Shots!)

    Rafal Los

  7. Toward Automated Detection of Logic Vulnerabilities in Web Applications

    USENIX Security Symposium 2010

  8. Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems

    International Journal of Network Security, Vol.12, No.1

  9. Case Files from 20 Years of Business Logic Flaws

    Chetan Conikee


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.