Improper Enforcement of Behavioral Workflow

Incomplete Base

Structure: Simple

Description

This weakness occurs when an application requires a user to follow a specific sequence of actions, but fails to enforce that order. Attackers can exploit this by skipping steps, performing actions out of sequence, or interrupting the flow, which can corrupt the business logic or put the system into an invalid state.

Extended Description

When a multi-step process isn't strictly sequenced, attackers can manipulate it to bypass critical checks. For instance, a file-sharing server might require a username, then a password, before allowing a file transfer. If it accepts a transfer command immediately after a password—without a username—the core authentication workflow is broken, potentially granting unauthorized access. Proper workflow enforcement means ensuring steps happen in the correct order, no required steps are omitted, processes aren't maliciously interrupted, and actions occur within a reasonable timeframe. This is distinct from software itself executing steps incorrectly (CWE-696); here, the flaw is in failing to control the *user's* or *client's* path through the required behaviors.

Common Consequences 1

Scope: Other

Impact: Alter Execution Logic

An attacker could cause the product to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.

Demonstrative Examples 1

This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files.

Code Example:Bad
Python
pythonuser has requested a file*pythonpython

The server correctly avoids sending files to a user that isn't logged in and doesn't own the file. However, the server will incorrectly list the files in any directory without confirming the command came from an authenticated user, and that the user is authorized to see the directory's contents.

Here is a fixed version of the above example:

Code Example:

Good

Python

python

...* if command == 'List_files': ``` if authenticated(user) and ownsDirectory(user,args): listFiles(args) return

python

Observed Examples 9

CVE-2011-0348Bypass of access/billing restrictions by sending traffic to an unrestricted destination before sending to a restricted destination.

CVE-2007-3012Attacker can access portions of a restricted page by canceling out of a dialog.

CVE-2009-5056Ticket-tracking system does not enforce a permission setting.

CVE-2004-2164Shopping cart does not close a database connection when user restores a previous order, leading to connection exhaustion.

CVE-2003-0777Chain: product does not properly handle dropped connections, leading to missing NULL terminator (Improper Null Termination) and segmentation fault.

CVE-2005-3327Chain: Authentication bypass by skipping the first startup step as required by the protocol.

CVE-2004-0829Chain: File server crashes when sent a "find next" request without an initial "find first."

CVE-2010-2620FTP server allows remote attackers to bypass authentication by sending (1) LIST, (2) RETR, (3) STOR, or other commands without performing the required login steps first.

CVE-2005-3296FTP server allows remote attackers to list arbitrary directories as root by running the LIST command before logging in.

References 8

Business Logic Flaws and Yahoo Games

Jeremiah Grossman

08-12-2006

https://blog.jeremiahgrossman.com/2006/12/business-logic-flaws.html(2023-04-07)

ID: REF-795

Seven Business Logic Flaws That Put Your Website At Risk

Jeremiah Grossman

10-2007

https://docplayer.net/10021793-Seven-business-logic-flaws-that-put-your-website-at-risk.html(2023-04-07)

ID: REF-796

Business Logic Flaws

WhiteHat Security

https://web.archive.org/web/20080720171327/http://www.whitehatsec.com/home/solutions/BL_auction.html(2023-04-07)

ID: REF-797

Insufficient Process Validation

WASC

http://projects.webappsec.org/w/page/13246943/Insufficient-Process-Validation

ID: REF-806

Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic

Rafal Los and Prajakta Jagdale

2011

https://www.slideshare.net/RafalLos/defying-logic-business-logic-testing-with-automation(2023-04-07)

ID: REF-799

Real-Life Example of a 'Business Logic Defect' (Screen Shots!)

Rafal Los

2011

http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/Real-Life-Example-of-a-Business-Logic-Defect-Screen-Shots/ba-p/22581

ID: REF-667

Toward Automated Detection of Logic Vulnerabilities in Web Applications

Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna

USENIX Security Symposium 2010

08-2010

https://www.usenix.org/legacy/events/sec10/tech/full_papers/Felmetsger.pdf(2023-04-07)

ID: REF-801

Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems

Faisal Nabi

International Journal of Network Security, Vol.12, No.1

2011

http://ijns.femto.com.tw/contents/ijns-v12-n1/ijns-2011-v12-n1-p29-41.pdf

ID: REF-802

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Insufficient Control Flow Management (CWE-691)

Taxonomy Mapping

WASC

Notes

Research Gap This weakness is typically associated with business logic flaws, except when it produces resultant weaknesses. The classification of business logic flaws has been under-studied, although exploitation of business flaws frequently happens in real-world systems, and many applied vulnerability researchers investigate them. The greatest focus is in web applications. There is debate within the community about whether these problems represent particularly new concepts, or if they are variations of well-known principles. Many business logic flaws appear to be oriented toward business processes, application flows, and sequences of behaviors, which are not as well-represented in CWE as weaknesses related to input validation, memory management, etc.