CWE-841 Detail

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.

By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the product or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses.

For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the product might still perform the transfer.

Note that this is different than CWE-696, which focuses on when the product performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence.

Workflow-related behaviors include:

• Steps are performed in the expected order.
• Required steps are not omitted.
• Steps are not interrupted.
• Steps are performed in a timely fashion.

Modes Of Introduction

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Common Consequences

Observed Examples

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses.

The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles.

Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.

References

REF-795

Business Logic Flaws and Yahoo Games
Jeremiah Grossman.
https://blog.jeremiahgrossman.com/2006/12/business-logic-flaws.html

REF-796

Seven Business Logic Flaws That Put Your Website At Risk
Jeremiah Grossman.
https://docplayer.net/10021793-Seven-business-logic-flaws-that-put-your-website-at-risk.html

REF-797

Business Logic Flaws
WhiteHat Security.
https://web.archive.org/web/20080720171327/http://www.whitehatsec.com/home/solutions/BL_auction.html

REF-806

Insufficient Process Validation
WASC.
http://projects.webappsec.org/w/page/13246943/Insufficient-Process-Validation

REF-799

Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic
Rafal Los, Prajakta Jagdale.
https://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation

REF-667

Real-Life Example of a 'Business Logic Defect' (Screen Shots!)
Rafal Los.
http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581

REF-801

Toward Automated Detection of Logic Vulnerabilities in Web Applications
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, Giovanni Vigna.
https://www.usenix.org/legacy/events/sec10/tech/full_papers/Felmetsger.pdf

REF-802

Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems
Faisal Nabi.
http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf

Submission

Modifications