Business Logic / Integrity Checks

Description

Integrity checks are a type of IT vulnerability in the category of Business Logic. This type of vulnerability occurs in web and API applications when the application does not properly authenticate and authorize users, or is not validating the source of data being sent to the application (CWE-287). This can allow malicious users to send false data or modify data in transit, which can undermine the integrity of the application (OWASP Testing Guide).

Risk

The risk of this vulnerability is high; if an attacker can modify the data being sent to the application, they can possibly gain access to the application, or inject malicious code or data into the application. This can lead to an account takeover, data theft, or other malicious activity.

Solution

The best solution to this vulnerability is to ensure that the application is properly authenticating and authorizing users, and is validating the source of data being sent to the application. This can be done through the use of secure access tokens, encryption protocols, and other security measures.

Example

The following example code from the CVE directory demonstrates a vulnerability in an application’s authentication system, where the application does not properly authenticate users, allowing attackers to gain access to the application:

<form action="http://example.com/authenticate" method="post">
  <input type="text" name="username" />
  <input type="password" name="password" />
  <input type="submit" value="Log in" />
</form>

In this example, the application does not properly authenticate users, allowing attackers to gain access to the application by entering any username and password combination.