Chapter 18. Business Logic Vulnerabilities

In the previous chapters, we discussed a number of common vulnerabilities that affect most web applications. These vulnerabilities were easily categorized using terms like injection or denial of service. The aforementioned vulnerabilities almost always took on a consistent shape, which made them easy to define categorically. This also means that both offensive and defensive strategies for attacking or mitigating common vulnerabilities are relatively consistent across all affected applications.

Until now, we have studied archetypal web application vulnerabilities. But what happens when we encounter a vulnerability that is unique to a single application? Unique vulnerabilities most frequently occur as a result of an application implementing specific business logic rules. A hacker then learns ways to make use of those programmed rules and obtain unintended outcomes. In other words, the vulnerabilities we have studied up until now are vulnerabilities that may occur as a result of application logic but not because of business rules.

Application logic combines information and instructions in order to perform tasks common to web applications, like rendering an image or performing a network call. Business rules, on the other hand, are specific to the implementing business. An example of a business rule would be only allowing a passenger to cancel a reservation if the current time is greater than 24 hours prior to the booking time.

A vulnerability ...