Logic flaws and the OWASP Top 10

This week the Open Web Application Security Project (OWASP) released the newest version of their list that is comprised of the top ten vulnerabilities that business-driven Web Applications face, but one expert reminds developers that there is another threat to consider as well – logic flaws.

Since 2003, the researchers and experts who are part of OWASP have watched and recorded the state of Web application security. Over the years they have explained and defined the types of problems that forward facing applications will need to contend with online to remain secure. For the most part, the OWASP Top 10 has driven secure code in one way or another, but that isn’t to say that Web Applications as a whole are completely secure because of it.

[View the 2010 OWASP Top 10 list here]

Qualys Security Researcher Mike Shema recently spoke to The Tech Herald and covered one WebAppSec flaw that is present to some degree in most of the entries on the OWASP Top 10 list, while at the same time only earns a passive mention.

Shema spoke to us about logic flaws, something that is an afterthought when you consider the attention given to Cross-Site Scripting (OWASP A2 2010), SQL Injection (OWASP A1 2010), or Cross-Site Request Forgery (OWASP A5 2010) attack vectors when discussing secure code.

Shema explained that the OWASP Top 10 is talking about risks and not vulnerabilities.
“If you’re just using the OWASP Top 10 to apply security to your website your doing it a disservice. The thing that’s important about OWASP Top 10 is it's telling people why WebApp Security is a problem and the way that Web Applications are being attacked. That’s a very good thing,” he told us.

OWASP has added and removed risks from their list several times over the years. It represents “a broad consensus about what the most critical web application security flaws are” and as a result needs updating from time to time to address changes to risks associated with new Web Application development standards and attack vectors.

For example, Security Misconfiguration (OWASP A6 2010) appeared in the 2004 version of the top ten, and it was dropped in 2007 before making its comeback. Also, Malicious File Execution (OWASP A3 2007) was dropped because the main culprit - poorly configured PHP applications - can benefit from improvements to the default PHP settings.

However, Shema noted, “It's still important for website owners to keep track of the OWASP Top 10 in order to understand how threats evolve. CRSF didn't appear on the list in 2004, but apps have been vulnerable to it since 2000 and earlier. It's just that CSRF attacks weren't well defined or widely understood before the list could be updated in 2007.”

Yet, when you consider the risks that made it into the OWASP Top 10 for 2010, there is another threat that can catch some websites off guard and leave them exposed to problems that can cost them money or embarrassment. That’s where logic flaws come into play.

“Logic flaws tend to be really hard to find because it’s very difficult to automatically look for them. So you need people, and people don’t scale very well across the hundreds of thousands or millions of websites that are out there. But the impact can still be heavy, and so a logic flaw can fall into some of [the OWASP top ten] categories, but it’s hard to figure out which one,” Shema said.

“So when I’m talking about logic flaws, it could be as simple as doing client-side validation of content.”

Consider Kurt Grutzmacher, a security professional who in 2007 used logic flaws to earn a free Platinum Pass to Macworld. The registration process used the browser to perform data input validation in order to lessen the server load and increase user experience.

The problem was that the priority codes needed to lower the Platinum Pass cost from almost $2,000 USD to nothing were encrypted in the source code of the site and included with a JavaScript that explained how they were processed. Grutzmacher used the visible JavaScript and the MD5 hashes to earn himself a fee spot in line to see Steve Jobs announce the iPhone. In 2008, Grutzmacher used the same trick to earn another free pass.

In 2009, a series of logic flaws in the code running the TIME 100 Poll allowed fans of 4Chan founder ‘moot’ (a.k.a Christopher Pool) to place him at the top of the list, with 16,794,368 votes. So troubled was the voting script, the people who helped rig the process were able to control results and leave behind the message seen below. At the end of the day, despite claims from TIME that they “did detect and extinguish several attempts to hack the vote” one person using an IPv6 address was able to bypass IP address and timed voting restrictions to send votes for moot at a rate of about 5,000 votes a minute.

“Obviously those examples don’t have direct financial impact on the website. It’s not compromising credit cards or anything like that. However, speaking in general you can still have old concepts of logic flaws in the checkout process,” Shema said.

“A logic flaw could simply be applying a checkout coupon several times, or depending on how a Web Application is tracking your product, the shipping rate for the product, and the shipping delivery time. You could possibly do some client-side tricks so that you’ve ordered a bunch of books and you’re getting overnight shipping, but paying the 3-5 day shipping rate.”

Essentially, Shema explained to us, logic flaws allow an attacker to play around with the assumptions that the website is making on the data that it’s receiving from the end user. Another thing is that a lot of these logic attacks don’t carry obvious markers along with them. In other words, you don’t have to inject single quotes like you would with SQL Injection or script tags like in Cross-Site Scripting in order to bypass or confuse the logic used in a Web Application.

With that said, Shema offered some advice for dealing with logic flaws when developing Web Applications. The best way to avoid them is a constant checks and balances system, which is the opposite of filtering input alone. Developers will need to manage the data that is sent to the Web Application, that is certain, but at the same time they'll need to make sure that the input comes at the right time from the right source.

Shema said that most logic problems come from developers who take shortcuts, and that when writing secure code, there is never any room for them. “If you focus on one security aspect, you can’t ignore others. For example focus on XSS and SQL Injection is great, but you have to account for logic issues that could be related to them.”


Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.

Cheetah Pictures

Some Cool Cheetah Pictures Cheetahs are found mainly in Africa but also some parts of the Middle East. These sleek animals are the fastest land mammals in the world and can hit 60 mph in about 3 seconds, though they cannot maintain this speed for long. Cheetahs prey mostly on antelopes and smaller mammals but occasionally go for something bigger. We hope you enjoy these photos and don’t forget to check out the other speedy land mammals on our list of the fastest.

Sherlock Holmes Quiz

Sherlock Holmes
Sherlock Holmes was a man who absorbed information like a sponge and had a razor sharp mind. How much do you know about the famous fictional detective from the books?

22 years without Ferruccio Lamborghini

Lamborghini posted this photo today saying: “22 years without Ferruccio Lamborghini.” Ferruccio passed away on February 20th 1993 aged 76. Interestingly he started out making tractors!