>_AYSOLI SECURITY HUB
THREAT AREA

Business Logic Security

Automated vulnerability scanners are blind to the logic of your business. They find technical gaps such as outdated libraries, but they don't understand when an attacker skips a payment or accumulates discounts by manipulating the request sequence.

Your Strategy

True security in complex web apps requires a deep understanding of business processes. Mandatory automated scans should be supplemented by manual expert reviews that specifically attempt to break the logical assumptions of your application.

Best Practices

  • State Validation: Check every API call to see if the application is in the correct state for this action.
  • Server-side Authority: Never trust calculations (prices, quantities) that come from the client.
  • Sequence Control: Enforce a strict sequence of process steps and validate their completeness.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-LOGIC-01

Business Logic Bypass

Bypassing prescribed process steps in the application.

TamperingT-LOGIC-02

Parameter Pollution

Manipulation of multiple HTTP parameters to confuse the backend.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-WEB-01

Insecure Direct Object Reference (IDOR)

Accessing data objects by manipulating references.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Reconnaissance
T1595

Active Scanning

ATT&CK

Active scanning of web infrastructure for vulnerabilities.

Mitigated by
Manual Business Logic ReviewExtended ProtectionHigh
CIS: 18.1OWASP: ASVS
Regular Penetration TestingExtended ProtectionHigh
CIS: 18.1NIST: AI-5.1
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4
Initial Access
T1190

Exploit Public-Facing Application

ATT&CK

Exploiting vulnerabilities in internet-facing services.

Mitigated by
Manual Business Logic ReviewExtended ProtectionHigh
CIS: 18.1OWASP: ASVS
Regular Penetration TestingExtended ProtectionHigh
CIS: 18.1NIST: AI-5.1
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Strict Schema ValidationBaseline ProtectionMedium
CIS: 16.11OWASP: API6
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Object Level Authorization (BOLA)Baseline ProtectionMedium
NIST: PR.AC-4OWASP: API1
Fine-Grained RBAC / ABACBaseline ProtectionMedium
CIS: 6.2OWASP: A01:2021
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Execution
T1059-007

JavaScript Injection

ATT&CK

Execution of malicious code in the victim's browser.

Mitigated by
Input Validation & SanitizationBaseline ProtectionMedium
CIS: 16.11OWASP: A03:2021
Dynamic Application Security Testing (DAST)Extended ProtectionMedium
CIS: 18.1OWASP: ASVS
Strict Schema ValidationBaseline ProtectionMedium
CIS: 16.11OWASP: API6
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Privilege Escalation
T1548

Abuse Elevation Control Mechanism

ATT&CK

Bypassing mechanisms for privilege escalation (e.g., UAC).

Mitigated by
Fine-Grained RBAC / ABACBaseline ProtectionMedium
CIS: 6.2OWASP: A01:2021
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Collection
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Object Level Authorization (BOLA)Baseline ProtectionMedium
NIST: PR.AC-4OWASP: API1
Fine-Grained RBAC / ABACBaseline ProtectionMedium
CIS: 6.2OWASP: A01:2021
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Rate Limiting & ThrottlingBaseline ProtectionLow
CIS: 12.1OWASP: API4

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
Business Logic Security | IT Security Checklist for SMEs · AYSOLI Security Hub