Category-840: 业务逻辑错误

admin
admin
admin
139233
文章
114
评论
2022年1月14日11:39:21评论55 views字数 1231阅读4分6秒阅读模式

Category-840: 业务逻辑错误

ID: 840
Status: Incomplete

Summary

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Membership

ID NAME
CWE-200 信息暴露
CWE-282 属主管理不恰当
CWE-285 授权机制不恰当
CWE-288 使用候选路径或通道进行的认证绕过
CWE-408 不正确的行为次序:早期放大攻击
CWE-639 通过用户控制密钥绕过授权机制
CWE-640 忘记口令恢复机制弱
CWE-666 在生命周期错误阶段对资源进行操作
CWE-696 不正确的行为次序
CWE-732 关键资源的不正确权限授予
CWE-754 对因果或异常条件的不恰当检查
CWE-770 不加限制或调节的资源分配
CWE-799 交互频率的控制不恰当
CWE-841 行为工作流的不恰当实施

Notes

Research Gap

References

REF-795 Business Logic Flaws and Yahoo Games
REF-796 Seven Business Logic Flaws That Put Your Website At Risk
REF-797 Business Logic Flaws
REF-798 Abuse of Functionality
REF-799 Defying Logic: Theory, Design, and Implementation of Complex Systems for Testing Application Logic
REF-667 Real-Life Example of a 'Business Logic Defect' (Screen Shots!)
REF-801 Toward Automated Detection of Logic Vulnerabilities in Web Applications
REF-802 Designing a Framework Method for Secure Business Application Logic Integrity in e-Commerce Systems

文章来源于互联网:scap中文网

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月14日11:39:21
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Category-840: 业务逻辑错误https://cn-sec.com/archives/612573.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息