Business Logic / Improper Enforcement of a Single, Unique Action

Description

Improper Enforcement of a Single, Unique Action (CWE-285) is a vulnerability in business logic that occurs when a web or API application fails to properly enforce a single, unique action. This vulnerability can lead to an attacker bypassing authentication and authorization controls, as well as executing unintended operations. This type of vulnerability is identified in the OWASP Testing Guide as "Verifying Single Execution of Business Logic".

Risk

The risk of improper enforcement of a single, unique action is that an attacker can gain access to unintended functionality and data. This type of vulnerability can allow an attacker to bypass authentication and authorization controls, potentially resulting in data exfiltration or other malicious activity.

Solution

The solution to this vulnerability is to ensure that a single, unique action is properly enforced by the system. This can be accomplished by implementing access control lists, unique session tokens, and other authentication and authorization measures. Additionally, the system should be tested to ensure that the single, unique action is enforced in all cases.