Business Logic / Circumvention of Work Flows
Description
Circumvention of Work Flows, also known as CWE-20, is a type of Business Logic vulnerability which allows attackers to bypass established workflow procedures. This vulnerability can occur in both web-based and API-based applications. According to the Common Weakness Enumeration (CWE) directory, the vulnerability is defined as “the ability to bypass established workflows that are intended to restrict access to certain functions, data, or privileged operations.” The OWASP Testing Guide identifies this vulnerability as a “major security risk in critical applications” and provides guidelines on how to test for it.
Risk
The risk of a Circumvention of Work Flows vulnerability can be extremely severe depending on what data or functions are being accessed. An attacker who is able to bypass established workflows may be able to gain access to confidential data or perform privileged operations. This can have serious repercussions such as data exfiltration, system disruption, or complete system takeover. In addition, the attacker may be able to use this vulnerability to pass malicious code through an application, potentially leading to further system compromise.
Solution
Organizations can take steps to mitigate the risk of Circumvention of Work Flows vulnerabilities by ensuring that all workflows are properly configured and tested. All authentication and authorization protocols should also be strictly enforced. Designers should also make sure to use the principle of least privilege when granting access to data and functions. Finally, developers should validate all input data, and use secure coding best practices to ensure that malicious code does not enter the system.
Example
An example of a Circumvention of Work Flows vulnerability is CVE-2020-14362. This vulnerability was found in the Kaseya VSA RMM platform, and was caused by the improper implementation of authentication and authorization protocols. An attacker could exploit this vulnerability to bypass the normal authentication and authorization flow, and gain access to privileged user accounts without having valid credentials.