ChannelLife UK - Industry insider news for technology resellers
United Kingdom
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
Application Security
#
Cybersecurity
#
Software Development

OWASP unveils first top 10 business logic abuse threats list

Yesterday
Author image
By Shannon Williams, Journalist

The Open Worldwide Application Security Project (OWASP) has published its first Business Logic Abuse Top 10 vulnerabilities, focusing on cross-domain business logic threats that are not tied to a specific technology stack.

Unlike prior OWASP top 10 lists that are generally centred on a particular technology, such as web applications or APIs, the Business Logic Abuse Top 10 addresses vulnerabilities that exploit flaws in the way applications are designed to function, rather than in their underlying code or infrastructure.

The list was developed with contributions from Ivan Novikov, Co-Founder and Chief Executive Officer of Wallarm, Silvia Pravida, API Engineer at a financial institution, and Sergei Lega, Lead Product Manager at Wallarm.

OWASP, a nonprofit foundation, aims to improve software security by supporting and promoting a range of application security initiatives. The original OWASP Top 10, first published in 2003, outlined the most common web application vulnerabilities, and has since become a widely referenced resource in the security industry.

Business logic abuse involves the manipulation of application workflows, state transitions, and decision-making processes, enabling attackers to bypass restrictions, gain unauthorised access, or disrupt operations. These attacks exploit the rules that govern an application's intended use, rather than taking advantage of technical vulnerabilities like SQL injection or security misconfigurations.

Silvia Pravida, API Engineer, said, "PCI DSS 4.0 now requires us to stop business logic abuse — that's clear in Requirement 6.2.4. But what's missing is the 'how'. There's no standard list of real-world logic attack types banks should defend against. That's why I joined the OWASP project: to help build that list. So every financial team can spot the tricks before they cost real money."

As business applications have become more complex, attackers have continued to shift their tactics. The security industry has historically focused on coding errors, but business logic flaws are increasingly becoming the target of attackers. The exploitation of business logic can be particularly damaging because it often leverages intended workflows in unintended ways, and can be difficult to detect with traditional security controls.

One example cited in the context of business logic abuse involved mobile provider O2 in the United Kingdom, where user location data was exposed via call metadata. OWASP notes this type of incident exemplifies both "Data Oracle Exposure" and "Missing Roles and Permissions Checks", two categories identified in the new Top 10 list.

Ivan Novikov, Co-Founder and Chief Executive Officer of Wallarm, said, "It's incredibly important for the community to have a common language around business logic attacks. These types of attacks transcend a specific software stack or technology. They don't fit into the existing taxonomies, but they are being actively exploited by attackers today."

The OWASP Business Logic Abuse Top 10 aims to provide a framework for recognising and responding to these threats by categorising the different types of business logic abuse. This classification is intended to facilitate agreement among practitioners and vendors on the tactics used by attackers, addressing what has until now been a notable gap in the industry's understanding of application security risks.

The ten classes of vulnerabilities identified in the OWASP list are as follows:

- Class 1: Lifecycle & Orphaned Transitions Flaws

- Class 2: Logic Bomb, Loops and Halting Issues

- Class 3: Data Type Smuggling

- Class 4: Sequential State Bypass

- Class 5: Data Oracle Exposure

- Class 6: Missing Roles and Permission Checks

- Class 7: Transition Validation Flaws

- Class 8: Replays of Idempotency Operations

- Class 9: Race Condition and Concurrency Issues

- Class 10: Resource Quota Violations

The publication is intended to assist security practitioners, developers, and organisations in identifying and mitigating business logic flaws that are increasingly targeted in modern environments, including APIs and cloud-native applications.

The project leaders indicate that the Business Logic Abuse Top 10 will remain a community-driven effort. OWASP will continue to accept feedback and contributions to develop the list further, aligning with the organisation's principles of transparency and collaboration.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Diliko launches partner scheme for AI data in regulated sectors
Bitdefender unveils GravityZone tool for easier compliance
Scattered Spider targets UK retailers with advanced phishing
AI & hybrid pricing drive double subscription growth rates
Retail cyber-attacks surge as weak defences lure criminals
Top stories
Global survey finds gaps leave cloud security dangerously exposed
The EU Accessibility Act and what it means for UK digital businesses
UK estate sector turns to digital tools as ID fraud surges
Checkatrade unveils digital tools, shop in summer update
Healthcare faces surge in cyberattacks & AI-driven threats