Testing for business logic

Business logic can have security flaws that allow a user to do something that isn't allowed by the business. For example, if there is a limit on reimbursement of $1000, could an attacker misuse the system to request more money than is allowed? Or perhaps you are supposed to do operations in a particular order, but an attacker could invoke them in a different order. Or can a user make a purchase for a negative amount of money? Frequently these business logic security checks simply are not there in the application.

Automated tools find it hard to understand context and hence its up to a person to perform these kind of tests.

Business limits and restriction
Consider the rules for the business function being provided by the application. Are there any limits or restrictions on people's behavior? Then consider whether the application enforces those rules. It's generally pretty easy to identify the test and analysis cases to verify the application if you're familiar with the business. If you are a third-party tester, then you're going to have to use your common sense and ask the business if different operations should be allowed by the application.

Example: Setting the quantity of a product on an ecommerce site as a negative number. which may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart.

Workflow flaws
Many flaws in application security pertain the workflow flaws. By navigating through an application in a certain way or revisiting pages out of synch can cause logical errors which may cause the application to do something its not meant to.

Example: A wizard application where one fills in forms and proceeds to the next step. One can not in any normal way (according to the developers) enter the wizard in the middle of the process. If one bookmarks a middle step (say step 4 of 7) and then continues with the other steps until completion or form submission, then revisits the middle step which was bookmarked this may "upset" the backend logic as it was developed with a weak state model

OWASP Testing Guide v2 Table of Contents [Category:Stub]