Business Logic Errors
The product does not properly implement the business logic rules, which may allow users to manipulate the system in unintended ways.
Business logic errors occur when the application's implementation doesn't correctly enforce the intended business rules. Unlike technical vulnerabilities, these are flaws in the application's design or logic.
Comment corriger cette vulnérabilité
Stratégies de prévention pour Business Logic Errors basées sur 3 règles de détection Shoulder.
Calculate financial values server-side from trusted data sources instead of accepting client-submitted totals
package main import ( "net/http" "strconv" ) func checkoutHandler(w http.ResponseWriter, r *http.Request) { - total, _ := strconv.ParseFloat(r.FormValue("total"), 64) + productID := r.FormValue("product_id") + qty, err := strconv.Atoi(r.FormValue("quantity")) + if err != nil || qty <= 0 { + http.Error(w, "Invalid quantity", http.StatusBadRequest) + return + } + + var product Product + if err := db.First(&product, productID).Error; err != nil { + http.Error(w, "Product not found", http.StatusNotFound) + return + } + + total := product.Price * float64(qty) processPayment(total) w.Write([]byte("Payment processed")) }
Calculate totals and prices server-side using database values instead of client-submitted data
app.post('/checkout', async (req, res) => { - const { total } = req.body; + const product = await Product.findById(req.body.productId); + const total = product.price * req.body.quantity; await stripe.charges.create({ amount: total, currency: 'usd' }); });
Calculate totals server-side using database prices instead of client-submitted values
from flask import request @app.route('/checkout', methods=['POST']) def checkout(): - price = float(request.form['price']) - quantity = int(request.form['quantity']) - stripe.Charge.create(amount=int(price * quantity * 100)) + item_id = int(request.form['item_id']) + quantity = int(request.form['quantity']) + product = Product.query.get(item_id) + total = product.price * quantity + stripe.Charge.create(amount=int(total * 100))
Trouvez les vulnérabilités dans votre code
Utilisez Shoulder pour scanner votre code à la recherche de patterns Business Logic Errors. 3 règles.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=840 # Or scan entire project npx @shoulderdev/cli trust .
Règles de Détection (3)
Ce qu'il faut surveiller lors des revues de code
Ces patterns indiquent des vulnérabilités potentielles Business Logic Errors. Recherchez-les lors des revues de code et des audits de sécurité.
Scannez votre base de code pour Business Logic Errors
Shoulder CLI trouve les motifs vulnérables dans toute votre base de code.