Business Logic Attacks – Bats And Blbs presented at OWASP AppSec Brasil 2010

by Amichai Shulman (Imperva),

Tags: Security Business


Summary : Cyber attacks are being committed more often by professionals, and are increasingly driven by financial motives. Researchers have discovered the increasing popularity of a certain class of attacks that target business logic. Business logic attacks are a set of legal application transactions that are used to carry out a malicious operation that is not part of normal business practices. For example, brute forcing coupon codes in an ecommerce application to receive multiple discounts. This presentation will provide a quick introduction to business logic attacks, their unique characteristics and the motivation behind their uptick. The session will suggest a classification method for these attacks from which attendees can draw a set of required mitigation capabilities. We will discuss capabilities required for detecting automated interaction with the application, different types of repetitions, flow tampering and even compromised credentials. We will also contemplate on the usage of mitigation techniques such as Captcha, introducing delays and more. Concluding this session we will bring up the claim that all these capabilities can be introduced in the form of a "virtual patch" using a web application firewall, rather than being exclusively fixed in application code.

Amichai Shulman: Co-Founder and CTO