It’s all about business logic security!

In May’22, a major Indian payment gateway reported a fraud of 7.3 Crore (approx. 1 million US$). Few months earlier in Feb’22, world’s top crypto-exchange – Coinbase had to suspend trading when a breach was reported where a user could sell cryptos without owning them. Similarly in Nov’21, white-hat hacker Alissa Knight reported 55 banking applications of large global banks had exploits that allowed anyone to change debit card PIN numbers as well as move money across accounts WITHOUT account owner authorizations.

These are examples of BUSINESS LOGIC EXPLOITS where hackers were able to bypass application business logic and carried out frauds, resulting in economic and reputation losses for the organizations.

A simple change of parameter in the second API (Access Profile API) resulted in massive data-breach. Ironically current
generation security solutions like WAFs, NGFWs, API-GWs OR SAST/DAST are blind to Business-Logic attacks!