Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a “virtual patch” using a web application firewall, rather than being exclusively fixed in application code.
Noa Bar-Yosef is a senior security researcher with the Imperva Application Defense Center. She conducts research on database and Web application vulnerabilities. Previously, she has held TA positions in courses on programming and network security at Tel Aviv University and Open University. She has also been a software engineer with educational software vendor Sunburst Technology. Bar-Yosef holds a Masters of Science degree (specializing in information security) from Tel-Aviv University, School of Computer Science and a Bachelors of Science degree from The Hebrew University, School of Computer Science. During her work in Imperva Noa has discovered multiple vulnerabilities in various commercial application and worked with software vendors on their resolutions. She also presented at a number of conferences including Infosec Canada (2008), SECRYPT 2007 (Spain)