Why business logic makes life difficult for (some) scanners
Today’s web applications are nothing like the static websites of old – the code that your browser loads and manipulates at any given moment changes constantly in response to user interactions and the business logic of the application itself. Any modern web vulnerability scanner worth its salt has an embedded browser engine and is able to simulate user interactions, allowing it to automatically perform crawling and testing even on highly dynamic pages.
Things get tricky when an application includes items or sections that are only loaded in specific cases that depend on the underlying business logic. For example, a sales app might take the user through a different sequence of approval pages depending on the transaction value. Without knowing this (along with the value ranges used in that specific company), automated DAST has no way of telling that different values will cause the browser to navigate through a different sequence of pages with different elements and parameters to test for vulnerabilities. To scan all these potential attack surfaces, you need a way to guide the scanner.
To access any useful application functionality in the first place, both users and scanners need to go through a business-specific authentication process. While DAST solutions such as Invicti support most of the popular authentication methods out-of-the-box, many enterprises use custom authentication flows that follow their unique business logic. Again, you need a way to show the scanner how to log in safely, reliably, and in accordance with business logic – and this is where Invicti’s advanced features can save you lots of time and frustration.
The dangers of ignoring business logic in application security testing
Before we get into the technicalities – does it really matter whether you think about business logic when planning your security testing? Well, quite apart from actual business logic vulnerabilities (see info box below), following business flows through the application is crucial for maximizing coverage by identifying and testing all the attack points that could show up in different use cases. If your vulnerability scanner (or penetration tester, for that matter) doesn’t explore and test every page and element that a potential attacker could access, you cannot say you’ve done everything you can to secure the application – and you are putting the entire business at risk.
To clarify, this post is not about business logic vulnerabilities but about ways to incorporate business logic to crawl applications and then scan them for technical vulnerabilities. Business logic vulnerabilities are a completely separate class of security issues that result from flawed business logic, not security defects in the application itself.
Pointing the way with the Business Logic Recorder
To provide an easy way to show the crawler and scanner the forms and pages that are only loaded following a specific sequence of operations, Invicti Enterprise includes the Business Logic Recorder (BLR). Using the BLR, you can record any number of interaction sequences that are then replayed by the Invicti crawler to ensure that subsequent testing also covers logic-dependent test targets. The BLR enables you not only to record flows but also to edit them, including the ability to reorder operations and specify request timeouts – all in a convenient and fully integrated visual tool.
Broadly speaking, there are two types of business flows where you may want to use the Business Logic Recorder. First, it is common for sites to have multi-step forms that display different fields and skip or add steps depending on the values you select along the way. For example, when you’re ordering in an online store, the available shipping options will most likely vary depending on your selections. The site might load different fields and page components depending on your region and delivery method, so to load, crawl, and test all the possible controls, you can record multiple input sequences with the BLR.
Other times, you may have parts of an application that are only reachable when specific business logic constraints are met. Continuing with the online store example, many fields in the checkout process are likely to perform validation to, say, look up valid postal codes or existing street addresses. A scanner can only load and test the final page of the checkout process if it provides valid values at every step. Again, preparing suitable input sequences in the BLR can help you guide the scanner into every part of the application in a matter of minutes. To learn more, see our support page for the Business Logic Recorder.
Configuring authentication with the custom script editor
Automatic scan authentication can be a pain to set up and troubleshoot. Especially with less advanced solutions that don’t provide instant feedback, your only indication of auth issues could be that scans fail, return zero results, or only work on some pages. To save you hours of frustration, Invicti Enterprise comes with an interactive visual editor for setting up custom authentication flows. In the custom script editor, you interact with a simulated copy of your login forms to enter business-specific values and correctly navigate across pages for multi-page forms.
Having a dedicated editor for authentication flows not only saves you time and effort but (most importantly) helps to ensure that all sections of your site or application are tested for vulnerabilities. To learn more, see our blog post on the custom script editor and support page on custom authentication scripting.
Apart from the integrated tools for recording business logic, you also have the option of using Invicti Standard in internal proxy mode and navigating to the URLs you want to test. You can do this manually in a browser or by playing back a macro sequence from Selenium or a similar testing tool. All links captured in proxy mode will be added to the scan list and tested for vulnerabilities.
To learn more, see our support page on crawling in proxy mode.
More thorough scanning reduces risk and saves you money
Automated DAST has become an essential part of any application security program, but as with everything in security, there is a world of difference between ticking the box and getting actual improvements. The best modern solutions are steadily cutting down myths around the things DAST supposedly cannot do – and with Invicti, crawling custom business logic flows with enterprise-grade authentication is now a reality. By maximizing test coverage, you are not only improving security but also getting more value from your entire AppSec program.
Having an accurate scanner that can handle many of the security tests that used to require manual work means you can speed up and automate these processes to improve security while also saving a lot of time and money spent on manual penetration testing. This is especially useful for automating the tedium of clicking through all possible business flows, as it allows your teams to focus on more valuable and interesting tasks that really need their expertise and intuition.
So if you haven’t been testing all parts of your web applications for lack of resources, now is definitely the time to start – and Invicti already comes with all the tools you need to do it automatically.