Business Logic / Logic Data Validation

Web and API

Description

Logic Data Validation (CWE-20) is an IT vulnerability related to business logic. It occurs when external data is used to control the flow of a program, and the data is not properly checked for accuracy, consistency, and completeness. This vulnerability can be found in both Web applications and Application Programming Interfaces (APIs). According to the OWASP Testing Guide, this vulnerability can lead to "serious data manipulation and data integrity issues".

Risk

The risk of Logic Data Validation is extremely high. Depending on the severity of the vulnerability, it can result in data breaches, data manipulation, and other malicious attacks on the system.

Solution

The best way to fix this vulnerability is to ensure that all data is properly validated before it is used in the application. This includes making sure that the data is coming from a trusted source, that it is properly sanitized, and that it is in the correct format.

Example

This example of vulnerable code comes from the CVE directory.

if (input.equals(“admin”)) {
    admin_level = 1;
}
else {
    admin_level = 0;
}

In this example, the code does not properly validate the input data. An attacker could easily manipulate the input to gain admin privileges.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.