Breaking Bad - Business Logic Abuse.
There was a recent discussion on the OWASP Testing guide list, a project I used to lead, in relation to "How to test for business logic issues" This is a real tough one to document in terms of "How to..." In saying that some of the biggest simulated financial fraud attacks I have ever committed for clients were based around business logic and authorization logic attacks. So how do we do it? This how is see the world, you may or may not agree. I look at an apps functionality as a Finite State Machine Certain inputs make the machine transition to a different state. Some states can only be reached from certain other states. Certain states are idempotent and others are transactional and have a permanent impact. We have a number of use cases to test this machine. 1. Positive use case - App does what it is meant to (positive sense) 2. Negative use case - App does what it is meant to (negative sense) 3. Abuse Case - User or data is trying to force app to d