Category: Business Logic Errors
Incomplete
Summary
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-283 | Unverified Ownership | This vulnerability occurs when an application fails to confirm that a user has legitimate ownership rights to a sensitive resource before allowing them to perform actions on it. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | This vulnerability occurs when an application's authorization system fails to verify that a user is allowed to access specific data before retrieving it, allowing an attacker to access another user's information by manipulating an identifier they control. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-708 | Incorrect Ownership Assignment | This vulnerability occurs when a system grants ownership of a resource to an entity that should not have that level of control, placing it outside the intended security boundary. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of it as a buffet with no rules on how much one person can take, eventually leaving nothing for others and causing the system to fail. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | This happens when software incorrectly frees or closes a resource—like memory, a file handle, or a network connection—while that resource is still supposed to be in active use by the program or another component. |
| CWE-837 | Improper Enforcement of a Single, Unique Action | This vulnerability occurs when a system fails to properly prevent users from repeating an action that should only be performed once, such as submitting a vote, finalizing a purchase, or requesting a refund. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | This weakness occurs when an application requires a user to follow a specific sequence of actions, but fails to enforce that order. Attackers can exploit this by skipping steps, performing actions out of sequence, or interrupting the flow, which can corrupt the business logic or put the system into an invalid state. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.