From 914cbea26003f54ee16dd423fd537ebf4c9c0a7b Mon Sep 17 00:00:00 2001 From: Jim Manico Date: Thu, 13 Jun 2024 11:13:37 +0200 Subject: [PATCH] V11 rework (#1954, #1953) * Update 0x19-V11-BusLogic.md First attempt at a business logic rewrite for 5.0 * Update 0x19-V11-BusLogic.md addressing https://github.com/OWASP/ASVS/issues/1953 * tag fix * Minor wording change * Add documentation requirement --------- Co-authored-by: Elar Lang <47597707+elarlang@users.noreply.github.com> Co-authored-by: Josh Grossman --- 5.0/en/0x10-V1-Architecture.md | 1 + 5.0/en/0x19-V11-BusLogic.md | 28 +++++++++++++++++++++------- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/5.0/en/0x10-V1-Architecture.md b/5.0/en/0x10-V1-Architecture.md index 924dd65b59..91bcf57ae1 100644 --- a/5.0/en/0x10-V1-Architecture.md +++ b/5.0/en/0x10-V1-Architecture.md @@ -110,6 +110,7 @@ Architectural requirements are intrinsic to the entire code base, and thus diffi | **1.11.1** | Verify the definition and documentation of all application components in terms of the business or security functions they provide. | | ✓ | ✓ | 1059 | | **1.11.2** | [MODIFIED] Verify that all application flows including authentication, session management and access control, maintain a consistent application and user state to prevent race conditions and business logic flaws. | | ✓ | ✓ | 362 | | **1.11.3** | Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions. | | | ✓ | 367 | +| **1.11.4** | [ADDED] Verify that expectations for business logic limits and validations are clearly documented including both per-user and also globally across the application. | | ✓ | ✓ | | ## V1.12 Secure File Upload Architecture diff --git a/5.0/en/0x19-V11-BusLogic.md b/5.0/en/0x19-V11-BusLogic.md index c2f681c654..60b82ae3ed 100644 --- a/5.0/en/0x19-V11-BusLogic.md +++ b/5.0/en/0x19-V11-BusLogic.md @@ -1,5 +1,21 @@ # V11 Business Logic +## Definition + +Business logic in application security refers to the customized rules and processes that safeguard an application in accordance with its specific requirements or the needs of the business it serves. These rules dictate various aspects such as user interactions, data handling, and system behavior, tailored to suit the unique characteristics of each application, business, or industry. + +Some examples of business logic vulnerabilities: + +### Example 1 + +* Business Rule: Products should only be provided to customers after their transactions are successfully verified to prevent loss due to fraud or non-payment. +* Vulnerability: If an attacker can manipulate the application to deliver a product before the purchase is verified, there's a risk of providing goods without receiving payment, leading to financial losses for the business. + +### Example 2 + +* **Business Rule:** High-value transactions above a certain threshold should be manually reviewed to ensure accuracy, legitimacy, and compliance with business policies. +* **Vulnerability:** If an attacker can manipulate the application to skip the review process for high-value transactions, then fraudulent or erroneous transactions may go unnoticed, increasing the risk of financial losses or compliance violations. + ## Control Objective Ensure that a verified application satisfies the following high-level requirements: @@ -10,15 +26,15 @@ Ensure that a verified application satisfies the following high-level requiremen ## V11.1 Business Logic Security -Business logic security is so individual to every application that no one checklist will ever apply. Business logic security must be designed into the system to protect against likely external threats - it cannot be added using web application firewalls or secure communications. We recommend the use of threat modeling during design sprints, for example using the OWASP Cornucopia or similar tools. +Business logic security is so individual to every application that no one checklist will ever apply. Business logic security must be designed into the system to protect against likely external threats - it cannot be added using web application firewalls or secure communications. | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **11.1.1** | Verify that the application will only process business logic flows for the same user in sequential step order and without skipping steps. | ✓ | ✓ | ✓ | 841 | | **11.1.2** | [MOVED TO 11.2.1] | | | | | -| **11.1.3** | [MODIFIED] Verify that the application has appropriate limits defined on a per user basis for specific business actions or transactions. | ✓ | ✓ | ✓ | | +| **11.1.3** | [MODIFIED, MERGED FROM 11.1.5] Verify that business logic limits and validations are implemented as per the application's documentation. | ✓ | ✓ | ✓ | | | **11.1.4** | [MOVED TO 11.2.2] | | | | | -| **11.1.5** | [MODIFIED] Verify that the application has globally defined business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies. | ✓ | ✓ | ✓ | | +| **11.1.5** | [DELETED, MERGED TO 11.1.3]] | | | | | | **11.1.6** | [MODIFIED] Verify that the application uses synchronization and locking mechanisms for sensitive operations in order to keep internal data consistent, maintain user state, and prevent race conditions, such as 'time of check to time of use (TOCTOU)' vulnerabilities. | | ✓ | ✓ | 367 | | **11.1.7** | [MOVED TO 7.2.4] | | | | | | **11.1.8** | [MOVED TO 7.2.5] | | | | | @@ -35,7 +51,5 @@ Business logic security is so individual to every application that no one checkl For more information, see also: -* [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) -* Anti-automation can be achieved in many ways, including the use of [OWASP AppSensor](https://github.com/jtmelton/appsensor) and [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) -* [OWASP AppSensor](https://github.com/jtmelton/appsensor) can also help with Attack Detection and Response. -* [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) +* [OWASP Web Security Testing Guide 4.2: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README) +* Anti-automation can be achieved in many ways, including the use of the [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/)