Skip to content

A collection of AppSec case studies on business logic flaws and insecure design scenarios.

License

Notifications You must be signed in to change notification settings

s4dhulabs/LFWFBD

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

93 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LFWF:BD - Logic Flaws Work Fine by Design

A collection of AppSec case studies on business logic flaws and insecure design scenarios.

image

Overview

The first thing to be aware of here is: It is meant to be precisely what the name indicates: Case studies into how to look at the issues and possibly handle them in a less harmful fashion (and more creative one).

Equally crucial to heads up that this project is a product of brainstorming and creativity and doesn't aim to offer bullet guns, magical formulas, or universal truths about how to approach AppSec, mainly because there is no such thing.

Instead, this is about ideas I've been polishing for a long time during my journey in information security. That said, this insight may also help you somehow, whether you're developing or testing application controls.

What about this name?

This synthesizes the own nature and motivation for this project. It's a kind reminder that logic flaws and insecure design issues could affect your business, clients, and the whole user experience. Still, in theory, everything will be just fine, according to the plan, no [detectable] vulnerabilities to be worried about.

Project Objectives

  • Help software engineers and developers build secure controls avoiding logic pitfalls.
  • Give pentesters, QAs, and bug hunters a detailed perspective about logic flaws and insecure designs.
  • Provide case studies to reference research, secure coding practices, and security assessment.
  • Provide a resource to enrich awareness initiatives focused on developers or incident response teams.
  • Provide a cross-perspective of the issue considering the developer and attacker's points of view.
  • Offer case study scenarios to enrich Threat Modeling process.

Available case studies in this first release:
ID Case study Cases Status
LFCS-01 Legitimate User Punished by Security Mechanism 1 Available ✔️
LFCS-02 Insecure Identity Validation Workflow 2 In progress 🧑‍🏭
LFCS-03 User Exposure by Verborragic Mechanism 2 In progress 🧑‍🏭
LFCS-04 Wrong Authorization Assumption 2 In progress 🧑‍🏭


Soon we'll have a guide on how this project can be used from different perspectives and goals.

About

A collection of AppSec case studies on business logic flaws and insecure design scenarios.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published