Business logic abuse is the abuse of the legitimate business logic of a website or other function that allows interaction. Business logic abuse is usually perpetrated by bad actors to steal money, steal personally identifiable information, or exploit the system that supports the business logic in some way.
Contents |
Business logic abuse is a subtle form of abuse – often perpetrated on websites. Traditionally, bad actors have exploited websites by breaking into the security infrastructure of the website (the firewall or VPN). Other attacks involve finding errors in the software of the website to break into the website. Because websites and other software vendors have gotten better at hardening their security infrastructure and identifying software errors, online criminals have gotten more sophisticated in their attacks. In the next level of attack – attacking the business logic of the website – the bad guy uses the legitimate pages of the website to perpetrate his or her fraud.
Business logic abuse results from the perpetrator discovering a flaw in the business logic[1] and exploiting that for illicit gain.
Examples of business logic abuse range from obvious to subtle. The most obvious type of business logic abuse is password guessing. The password guesser uses a legitimate business flow of a website – the login flow – to steal website accounts. Another form of business logic abuse is the sending of spam emails through the contact function of social network sites.
There are also many examples of business logic abuse apparent in general internet fraud. In the usual automotive fraud scam, the bad guy posts a car for sale on an auction or other for sale site, even though they don't have the car. The "seller" then gets the buyer to pay for the car before the car is "shipped". The bad guy then has the money and doesn't ever send the car. In fact, they never have to own the car. Listing a car for sale on a website to defraud buyers uses the "for sale listing" service on auction or other for sale websites in a way it was not intended.
In pump and dump schemes, the bad guy uses a chat room to post information about a stock that raises the price of the stock. This is an illicit use of a legitimate website function - posting to chat rooms.
A more subtle form of business logic abuse is documented in a case of hackers who were able to use the Brazilian online logging permit function to issue illicit logging permits to more than a hundred logging companies.[2]
The abuse of business logic can result in a wide variety of gains to the perpetrators. Business logic abuse is used to steal money – by transferring it out of victims’ accounts, steal personal information – by scraping information off of websites, initiate offline fraud schemes like Nigerian 419 scams, etc.
The response to business logic abuse can be quite challenging for two reasons. First, detecting business logic abuse is difficult. The perpetrators using the same functionality used by legitimate users and therefore, their traffic is likely intermingled with real traffic. This can make the identification of these types of exploits problematic.
Second, since the criminal is using a legitimate flow on a website or other application, disabling that flow would result in a very poor experience for the website’s users. Finding an approach where legitimate users can access the business flow while limiting access to the bad actor is an especially tricky endeavor.