A Business Logic Attack (BLA) is an attack which targets the logic of a business application. The business application may be an online clothing shop, an online ticketing service for a theater, or even an Internet poll. As opposed to “traditional”, technical, application attacks, for example, XSS or SQL Injection, business logic attacks do not contain malformed requests and include legitimate input values making this sort of attack difficult to detect. Furthermore BLAs abuse the functionality of the application, attacking the business directly. A BLA is further enhanced when combined with automation where botnets are used to challenge the business application. These automated attackers are called Business Logic Bots (BLBs).
Business Logic Bots automate the process of a Business Logic Attack. They may be used to conduct other well-known attacks such as brute-forcing an application for the purpose of cracking login credentials. They may be used to perform Denial of Service by locking resources. For example, an online ticketing service may hold reserved seats for ten minutes before actually timing out if a purchase is not made. A BLB may then attempt to reserve all seats rendering the seats unavailable for potential customers. A BLB may be used to perform Web Spam through forum posting or simply for Click Fraud may be conducted by a BLB.
BLBs have been used in the implementation of more sophisticated attacks. One particular example is Queue Jumping, where the BLB exploits those applications which implement a service serving requests based on a first-come first-serve basis. The BLB polls the queue at high frequency to gain front positions of the queue. Most commonly we see these attacks launched at online ticket providers when high profile concert tickets are being offered. These attacks are also used for Auctions Sniping in online bidding applications where a BLB inserts a winning bid right before the end of a bid, preventing other bidders to outbid the sniper. Other usages are Poll Skewing, Online Game Tampering and information harvesting.
Combating BLAs and BLBs requires a new set of prevention and detection techniques. The new techniques should strive for accuracy, but at the same time be able to accommodate a certain degree of error (false positives) without breaking the application.
The solution is comprised of two stages: detection and mitigation. A key point used to detect a BLA is that there are often multiple requests to the application (as compared to a “traditional” attack where there is usually just one single request against the server).
Detection should consist of several methods as no single one may determine automated abuse of the functionality. Detection techniques include the traditional method of using black-lists and verifying the request structure, which can later be used for blocking. In order to detect those attacks which bypass the traditional techniques, other methods should be implemented such as adding extra content to be interpreted differently by a human-driven browser and by an automated tool, testing application flow usage and different measurement metrics such as event frequency and click rates.
Mitigation techniques should try and decrease the effects of an attack by raising the cost of an attack. Most often the system’s reaction to a suspected automation attempt should not be blocking but rather challenging the client in such a way that legitimate clients are not materially affected but automated clients become ineffective. These challenges take into consideration that a second of delay is not noticed by a human but can make the difference for an automated attack. Such delays can be implemented by using CAPTCHAs, by providing client-side computational challenges, or adding bogus links which cause an automated tool to follow indefinitely.