Test number of times a function can be used limits (OTG-BUSLOGIC-005)

Brief Description
Many of the problems that applications are solving require limits to the number of times a function can be used or action can be executed. Applications must be “smart enough” to not allow the user to exceed their limit on the use of these functions since in many cases each time the function is used the user may gain some type of benefit that must be accounted for to properly compensate the owner. For example: an ecommerce site may only allow a discount to be applied once, or some applications may be on a subscription plan an only allow users to download or upload three complete documents monthly.

Vulnerabilities related to the limits to the number of times a function can be used is unique in that this type of logic is application specific and misuse cases should be created that strive to exercise parts of the application of functions more that “allowed”.

Issue
Attackers may be able to circumvent the business logic and execute a function more times than “allowable” exploiting the application for personal gain.

Example
Suppose an ecommerce site allows users to take advantage of any one of many discounts on their total purchase and then proceed to checkout and tendering. What happens of the attacker navigates back to the discounts page after taking and applying the one “allowable” discount? Can they take advantage of another discount?

Testing Method
• Review the project documentation and use exploratory testing looking for functions or features in the application or system that should not be executed more that a single time during the business logic workflow.

• For each of the functions and features found that should only be executed a single time during the business logic workflow, develop abuse cases that may be allow a user to execute them multiple times. For example, can a user navigate back and forth through he pages multiple times executing a function that should only execute once?

Test Tools
None

Related Test Cases
4.4.4 Testing for Account Enumeration and Guessable User Account (OTG-IDENT-004)

4.4.7 Test Account Suspension/Resumption Process (OTG-IDENT-007)

4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)

4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)

4.13.5 Test size of request limits (OTG-DOS-005)

Remediation
The application should have checks to ensure that the business logic is being followed and that if a function can only be executed a certain number of times, when the limit is reached the user can no longer execute the function. To prevent users from using a function over the appropriate number of times the application may use mechanisms such as cookies to keep count or through sessions not allowing users to access to execute the function additional times.