Chapter 36. Mitigating Business Logic Vulnerabilities

In Chapter 18, we discussed the elusive business logic vulnerability. This is an advanced form of vulnerability that is not easily detectable via automation—and not easily found via penetration testing.

Business logic vulnerabilities usually require deep knowledge of an application’s business logic, and as such, are more difficult to attack. Fortunately, because deep engineering knowledge is often required to understand such vulnerabilities, defending against these vulnerabilities is quite a bit easier than attacking them.

Given the presumption that your security team is working closely with your engineering teams, you will actually have an advantage when it comes to mitigating business logic vulnerabilities and protecting your application. This chapter discusses methods of preventing and mitigating business logic vulnerabilities.

Architecture-Level Mitigations

The most important step toward mitigating business logic vulnerabilities occurs in the architecture phase, prior to any application code being written. In traditional web application architecture designs, the intended user is considered alongside the intended use case.

It is unfortunate that this is the case, as many other technical domains have already identified the value in worst-case scenario design. Let’s evaluate the following example demonstrating the benefits of worst-case design before discussing how we can use these principles to benefit our application’s ...