search

OWASP / API-Security

OWASP API Security Project
https://owasp.org/www-project-api-security/
Other
2.06k stars 374 forks source link

Business Logic Flaws #90

Closed rahulk22 closed 1 year ago

rahulk22 commented 1 year ago

API's are getting targeted by hackers around their business logic. I can count many cases like USPS, Venmo, Coinbase and Instagram etc. The nature of these breaches are such that the attackers were able to exploit the loopholes in the logic flaws in the underlying code. Such type of attacks doesn't usually involve injection type attacks, SSRF etc.

ynvb commented 1 year ago

Good point @rahulk22 - I think the closest category to this at the moment would be API-8. Perhaps it would be wise to re-review this category and try and include such (obviously very prevalent) attack types in them.

securitylevelup commented 1 year ago

I agree with this as I have seen a similar focus on these types of business logic attacks. That said, it will be hard to classify this, giving proper examples might be the best fit in one of the existing categories like API10:2023.

inonshk commented 1 year ago

Please provide specific examples to what you consider as “business logic flaws”

planetlevel commented 1 year ago

Most "business logic flaws" tend to fall into one of the access control categories that are already in the list. Of course, any weakness in the implementation of policies unique to that business would qualify. Like "no trades > $1000" or "only allowed on Tuesday" or "one coupon per customer." Even something like "you must do A before B" can be business logic. The problem with making it a T10 category it's hard to draw a line around these.

ynvb commented 1 year ago

@inonshk - Here is a real-world example (it really happened. I will not disclose anything else here :) :

A random guy wants to buy cheap airline tickets. He chooses his flight and orders most of the seats on this flight, with a cancelation fee (small one). Closer to the flight date, he cancels all the tickets. This forces the airline into discounting the ticket price so they can make sure the flight is as full as possible. A random guy pays cancellation fees and buys cheap flight tickets - and at the end of the day, got a very nice discount from the original price.

This is a business logic attack - but it involves no automatic actions whatsoever. Everything is done manually, yet it still follows the description of this category very well (other than the automation part of course).

My point is - I think this category should be called "Business Logic Attacks," - and I also think that "automatic" attacks play a big part in it, but not an exclusive one.

(*) The information is provided for educational purposes only :) Please do not try this at home...