Blog, Events & News

Business logic: Protecting your weakest link

By Andy Still / 18th Sep 2019

Business logic is the new weak link in application defence, and as we all know, you are only ever as strong as your weakest link.

In this blog, Netacea’s CTO and Co-founder Andy Still explains what a business logic attack is and why we are seeing more and more of them as the cybersecurity landscape shifts. To begin, we need to understand the environment into which business logic attacks came into existence.

Ever since computers have been attached to external networks they have been a target for unwanted intrusion. As every attack was identified, a defence was put in place and the attacker moved on. Firewalls limit external access to the necessary servers and ports, which typically means that web server software is the only visible point of entry. Attackers therefore focused on exploiting weaknesses within the web server and the website codebase, using techniques such as SQL injection. WAFs were created to protect websites from these attacks, blocking access to request patterns that matched known exploits.

With these exploits now comprehensively protected, attackers are actively seeking the next easy target, the business logic of your website.

What is business logic?

Put simply, business logic is what your application does. It is the functionality that the application has been programmed to deliver in order to achieve your business objectives.

In the world of eCommerce, it is the ability to search products, add them to a basket, calculate delivery costs, check stock and complete a checkout. Financial services must facilitate the transference of money between accounts, the calculating of interest on a loan application and the calculating of risk and reward. While media outlets must be able to show targeted articles, select appropriate advertising and integrate with social media.

In short, the usual usage of any website is exercising the business logic.

What are business logic attacks?

A business logic attack or business logic exploit is when the legitimate business logic of a website is used to deliver an objective that is not in line with the purpose that was intended when it was created.

To provide a very simple example, on an eCommerce website, the business logic allows users to browse products and for each product the price and relevant details are displayed. This is standard business logic and is essential to enabling the user to exercise the objective of the application - that is, to decide whether they want to purchase the item. However, by viewing a product, an attacker can capture said product details, extract the prices and use them to price match against their own stock.

Business logic attacks are predominantly carried out using automated bot traffic, although they may be augmented with human users. They can also be carried out using multiple distinct sets of activities. For instance, an attacker may obtain a set of breached credentials, validate which are valid for a specific site and sell those details on to a second attacker. Attacker number two then executes more complex automation using those compromised accounts to validate availability of some aspect they know has value (for example spare account capacity), this attacker then resells that account to a third attacker to actually exploit the value in the account.

Business logic attacks: some real-world examples

Every day, on most public websites, the majority of log in attempts are made by bots attempting to exploit business logic issues. Large quantities of breached username/password combinations will be tested to detect valid combinations that can be exploited. Examples of types of exploitation can include theft of loyalty points or other types of credit, ordering of goods using saved credentials, exploitation of unused facilities on those accounts (such as additional unused accounts of services like Spotify) or theft of personal data.

Gambling sites suffer from arb-betting attacks, where bots continually monitor odds on sporting events to identify discrepancies and automatically place those bets to ensure the threat actor can’t lose.

These are just a few examples, others include the creation of fake accounts to take advantage of introductory offers. it’s important to recognise that highly targeted business logic exploits are on the rise.

Why have business logic attacks become a problem now?

While business logic attacks have always existed, they have become an increasingly favoured attack technique over the last few years.

Three factors are driving the rise of business logic attacks:

1. Defences against traditional methods of exploitation have improved, making these attacks more difficult to carry out successfully. Web server software is more secure than it used to be and the majority of website are behind some kind of a WAF that provides effective protection against basic exploits, while the level of understanding has improved regarding the risks of insecure development. All this has meant it has been more difficult (but certainly not impossible) to exploit technical vulnerabilities. Attackers need to find the next weak link.

2. Attack technology has improved. The availability of public cloud infrastructure (whether legitimately or illegitimately obtained) means that there are large quantities of disposable compute that can be used to power large scale bot activity. Dynamic IP address services and on-demand residential proxy platforms can easily hide and distribute the traffic to bypass basic IP address blacklisting and other basic defences. Easily available tooling such as Storm, sneaker bots and ticket bots make it easy for threat actors to start attacks without development expertise. Automation tools can now execute JavaScript from within real browsers, facilitating much more complex and dynamic attacks.

3. The ecosystem has rapidly expanded with many groups (or even semi-legitimate commercial services) offering automation services. The output of which can be exploited in further attacks. Most defences are not capable of stopping these attacks. WAFs are fundamentally not designed for spotting this activity, WAFs are designed to spot illegitimate request patterns, but business logic attacks are based entirely on legitimate requests carrying out legitimate functionality, for illegitimate purposes. Some WAFs have bot defence extensions and there are specialist bot management tools available, but most of these require client-side checks that can be bypassed by the newer sophisticated bots.

Protecting your organisation from business logic attacks

Business logic attacks require specialist solutions to effectively provide defence.

Netacea provides a pioneering bot management protection against complex business logic attacks, that can bypass any reputational blacklists, whitelists and JavaScript based defences offered by traditional bot management vendors. Our system analyses visitor behaviour to look for anomalous activity to reliably detect business logic attacks.

Talk to our team of data scientists today to protect your organisation against business logic attacks.

Account Takeover / Bot Management