Business Logic / Improper Enforcement of a Single, Unique Action
Improper Enforcement of a Single, Unique Action (CWE-285) is a vulnerability in business logic that occurs when a web or API application fails to properly enforce a single, unique action. This vulnerability can lead to an attacker bypassing authentication and authorization controls, as well as executing unintended operations. This type of vulnerability is identified in the OWASP Testing Guide as "Verifying Single Execution of Business Logic".
The risk of improper enforcement of a single, unique action is that an attacker can gain access to unintended functionality and data. This type of vulnerability can allow an attacker to bypass authentication and authorization controls, potentially resulting in data exfiltration or other malicious activity.
The solution to this vulnerability is to ensure that a single, unique action is properly enforced by the system. This can be accomplished by implementing access control lists, unique session tokens, and other authentication and authorization measures. Additionally, the system should be tested to ensure that the single, unique action is enforced in all cases.
Example The following code example is from the CVE-2020-14792 vulnerability. In this example, the application does not properly enforce a single, unique action, which allows an attacker to bypass authentication and authorization controls:
POST /wp-admin/admin-post.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded action=something_unique_action&data=something_unique_data