Category: Business Logic Errors
Incomplete
Summary
Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-283 | Unverified Ownership | The product does not properly verify that a critical resource is owned by the proper entity. |
| CWE-639 | Authorization Bypass Through User-Controlled Key | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-708 | Incorrect Ownership Assignment | The product assigns an owner to a resource, but the owner is outside of the intended control sphere. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | The product releases a resource that is still intended to be used by itself or another actor. |
| CWE-837 | Improper Enforcement of a Single, Unique Action | The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction. |
| CWE-841 | Improper Enforcement of Behavioral Workflow | The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.