Business logic is the strings that tie your shapely application together. Without it, you have no application! Business logic refers to the set of rules that define how the application works.
Business logic rules, also called business rules, are guidelines that define how a company should operate. These rules determine the limitations and guidelines on the way organizations create and process data, as well as their employees’ interactions with customers and other individuals.
If you wish to learn about API attack types follow the link.
Examples of Business Logic
It determines how a database handles information when a user tries to perform an action. It also helps define an event that needs to happen for another to occur.
- Database Transactions
It describes processes for changing data from one to another. Data transactions are important in business logic as they can affect a company’s daily operation.
- Data validation
is the process of maintaining quality and accurate data. For example, data validation can ensure a user inputs the right spelling and format in a workflow.
Features of Business Logic
Consistency of data: when one value changes, another should change to maintain its consistency. e.g. banking transactions, employee payroll format. The data a person inputs should match the data available in the database.
Subcategory of Access Control
Participant control: Resources should be specified between each user. There should be participant control that determines what data employees see based on the business logic guidelines. For example, the branch manager can see the overall performance of individuals in various departments, while a sales manager can only see data regarding the department.
Modification control: This feature is similar to participant control in that it focuses on how certain employees can make edits to data. Data is very important for the day-to-day running of any organization, so it is important for the business logic to outline which users can make certain alterations to the data.
View control: You can do this if you want to limit the data your users can view. Generally, this feature comes in handy when limiting employees to rows or columns. With this, the user will only be able to view rows related to their data and not columns that track performance; this will only be visible to the manager.
When we are dealing with vulnerabilities in access control, we talk about “broken access control.”
So what if it’s a broken access control? And how to prevent it?
What is Broken Access Control?
- Broken Access Control is first place in the OWASP TOP 10 in 2021, and it poses a serious threat to the digital industry due to its significant impact on web application security. These vulnerabilities are common in many web applications since their design relies on a complex system of components.
- Authorization is a process whereby requests for access are granted or denied. It involves processes that determine the data and functionality a user may have access to. Authorization checks are usually performed after authentication. Access control is vital for all systems and web applications to monitor activity and control rules guiding entitlement to users. In the web application context, access control is dependent on:
- Authentication identifies each user and confirms their identity.
- Session management: identifies which HTTP requests are being made by that same user.
Some of the most common broken access control include:
- Insecure ID: When users search for information in a database, they often use a unique ID. This ID is used in the URL to identify what the user wants. Using the ID of another individual can give you access to the person’s sensitive data. For example, users want to log into their main page and it looks like this: https://www.website.com/user_a_login. html The hacker will just edit the ID based on the pattern: https://www.website.com/user_b_login. html
- Client-side caching: Browsers help store websites in their cache to ensure fast loading, but if this computer is used by another person, the website can be easily accessed.
- Forced browsing: If the access control is broken, users can easily edit the URL and have access to unauthorized web applications. Just like insure ID, the hacker can edit the URL by following the pattern. For example, to view a user’s account, the URL may look like this: http://www.website.com/index.php/view?account=245 The hacker then edits the URL to look like this: http://www.website.com/index.php/view?account=1 to view the administrative account.
- Vertical privilege escalation: This is a situation where users can have access to resources that are not authorized. For example, if a user has access to the administrative functions of a web application.
Types/Categories of Access Control
- Vertical Access Control
They are control mechanisms that tend to restrict access to sensitive functions that are not usually available to other types of users. In vertical access control, different users have access to different functions and applications. They help implement business policies and separation of duties. For example, a user who has access to the basic site functions, has no access to edit and delete any user account. Only the administrator has such access.
- Horizontal Access Control
They are control mechanisms that restrict access to resources to those users that are specifically allowed to access such resources. For example, on the banking platform users can only access their account, make transfers and do other actions but have no access to another user’s account.
- Context-Dependent Access Control
They are control mechanisms that restrict access to a resource based on the user’s interaction with it. It restricts users from performing actions in the wrong order.
How to prevent broken access control
- Change the default name of your web pages. Try not to make your URL too predictable.
- Unless a function or resource is meant to be publicly visible, you should deny access by default.
- At the coding stage, the web developer should state the access that is allowed to each resource.
- Ensure that all web pages have authentication checks.
- Test access control mechanisms thoroughly to ensure they are working as designed.
Broken Access Control is a critical security vulnerability that applies business, and legal constraints to technical implementation. Since access control design and management are made by humans, not technology, flaws are potentially high.
It’s important to understand that after you take the preventive guidelines, it’s best to implement DAST and SAST, which are tools that check the security of your website.