Testing Overview

If you prefer to read the entire Understanding Business Logic Assessments section in PDF format, you can view or print here.

Business Logic Assessments search for vulnerabilities based on established industry standards set by WASC and OWASP. The following are the types of tests performed and examples of the vulnerabilities searched for using each test type.

Injection Testing

Injection testing is used to search for the following vulnerabilities:

  • Cross-Site Scripting - Reflective, stored, and DOM

  • SQL Injection - both error based and blind

  • XML Injection - XML External entities, SOAP, and XPath

  • OS Commanding - Standard injections and certain zero day exploits

  • Content Spoofing - User controlled error messages, HTML content, Excel export functionality, Flash file FlashVars, Reflected File Download

  • URL Redirector Abuse - Standard redirects, login request redirects, logout request redirects, Flash file redirects

  • HTTP Response Splitting - CRLF injection into response headers

  • LDAP Injection - Login and search functionality

  • Improper Input Handling - HTTP parameter pollution, Host Header attacks

  • Path Traversal - File upload, file download

  • Remote File Inclusion - Server executes remote files

Inspection Testing

Inspection testing is used to search for the following:

  • Fingerprinting - Version information in response headers or body

  • Information Leakage - Verbose errors, internal file paths, internal IP addresses, sensitive information in URL

  • Autocomplete Attribute - Sensitive inputs including CC and SSN data

  • Directory Indexing

  • Predictable Resource Location - Common files that are accessible

  • Missing Transport Layer Protection - Sensitive content transmitted without SSL/TLS

  • ClickJacking

Authentication and Authorization Testing

Authentication and Authorization tests are used to search for:

  • Insufficient Authentication - Insecure Direct Object Reference, weak authentication implementation

  • Insufficient Authorization - Access controls, vertical/horizontal privilege escalation

Session Management Testing

Session Management tests are used to search for:

  • Session Prediction - Session token strength and predictability

  • Session Fixation - Session token reuse after authentication

  • Insufficient Session Expiration - Proper session invalidation

  • Unsecured / Non-HTTP-Only Session Cookie - Cookie checks for secure attributes

Other Logic Testing

In addition to the tests listed above, a BLA also includes assessment of the application’s business logic for vulnerabilities, including:

  • Abuse of Functionality - File upload, price modification, contact form abuse

  • Brute Force - User enumeration, case insensitive passwords, login automation

  • Cross-Site Request Forgery - Sensitive functionality including change password, update profile, creating/deleting content

  • Insufficient Password Policy Implementation - Weak passwords

  • Insufficient Password Recovery - Password reset workflows including security questions and reset links

  • Insufficient Process Validation - Workflow bypasses including registration and checkout

  • Application Code Execution - file upload abuse and Server Side Includes

  • Insecure Indexing - Search functionality

  • Insufficient Anti-automation - Registration, contact forms

  • Denial of Service - XML Entity Expansion

  • Server Misconfiguration - Web cache deception attack

Next, learn how to manage Business Logic Assessments on the Site Services Tab in the WhiteHat Dynamic interface.