Detalle de categoría CWE-840

CWE-840

Business Logic Errors
Incomplete
2011-03-30 +00:00
2023-06-29 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Business Logic Errors

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Lista de miembros CWE

CWE-283: Unverified Ownership Base

CWE-639: Authorization Bypass Through User-Controlled Key Base

CWE-640: Weak Password Recovery Mechanism for Forgotten Password Base

CWE-708: Incorrect Ownership Assignment Base

CWE-770: Allocation of Resources Without Limits or Throttling Base

CWE-826: Premature Release of Resource During Expected Lifetime Base

CWE-837: Improper Enforcement of a Single, Unique Action Base

CWE-841: Improper Enforcement of Behavioral Workflow Base

Informaciones CWE

Notas de mapeo de vulnerabilidades

Justificación : This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comentario : See member weaknesses of this category.

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
CWE Content Team MITRE 2011-03-24 +00:00 2011-03-30 +00:00 1.12

Modificaciones

Nombre Organización Fecha Comentario
CWE Content Team MITRE 2017-01-19 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Description, Observed_Examples, References, Taxonomy_Mappings
CWE Content Team MITRE 2018-03-27 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated References
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Terminology_Notes
CWE Content Team MITRE 2023-04-27 +00:00 updated Mapping_Notes, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes

Referencias

REF-795

Business Logic Flaws and Yahoo Games
Jeremiah Grossman.
https://blog.jeremiahgrossman.com/2006/12/business-logic-flaws.html

REF-796

Seven Business Logic Flaws That Put Your Website At Risk
Jeremiah Grossman.
https://docplayer.net/10021793-Seven-business-logic-flaws-that-put-your-website-at-risk.html

REF-797

Business Logic Flaws
WhiteHat Security.
https://web.archive.org/web/20080720171327/http://www.whitehatsec.com/home/solutions/BL_auction.html

REF-798

Abuse of Functionality
WASC.
http://projects.webappsec.org/w/page/13246913/Abuse-of-Functionality

REF-799

Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic
Rafal Los, Prajakta Jagdale.
https://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation

REF-667

Real-Life Example of a 'Business Logic Defect' (Screen Shots!)
Rafal Los.
http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581

REF-801

Toward Automated Detection of Logic Vulnerabilities in Web Applications
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, Giovanni Vigna.
https://www.usenix.org/legacy/events/sec10/tech/full_papers/Felmetsger.pdf

REF-802

Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems
Faisal Nabi.
http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf

REF-1102

Case Files from 20 Years of Business Logic Flaws
Chetan Conikee.
https://published-prd.lanyonevents.com/published/rsaus20/sessionsFiles/18217/2020_USA20_DSO-R02_01_Case%20Files%20from%2020%20Years%20of%20Business%20Logic%20Flaws.pdf

La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.