OWASP Periodic Table of Vulnerabilities - Abuse of Functionality

Return to Periodic Table Working View

Root Cause Summary
Abuse of functionality, sometimes referred to as business logic attacks involve the design and implementation for application functions and features. As functionality is added to applications thought must be given to how the function or feature can be manipulated to circumvent the business process.

Some examples include:
 * Cookie Manipulation
 * Predictive parameters
 * Process timing
 * Lack of Data verification
 * Premature approval
 * Lack of process verification

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
None

Custom Framework Solution
None

Custom Code Solution
All functions and features of the application should be evaluated and tested against Use and Abuse cases to discover/uncover ways that potential attackers can use the application’s own functionality to circumvent the intended business process logic.

Discussion / Controversy
Although there are some generic functionality to look for, uncovering abuse of functionality vulnerabilities can be difficult and is application specific since every application is different and each implements its functions and features differently. For this reason this type of testing is similar functional testing.