Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/s4dhulabs/lfwfbd
A collection of AppSec case studies on business logic flaws and insecure design scenarios.
https://github.com/s4dhulabs/lfwfbd
applicationsecurity appsec appsecstudies devsecops insecuredesign logicflaws pentesting
Last synced: about 2 months ago
JSON representation
A collection of AppSec case studies on business logic flaws and insecure design scenarios.
- Host: GitHub
- URL: https://github.com/s4dhulabs/lfwfbd
- Owner: s4dhulabs
- License: gpl-3.0
- Created: 2022-08-05T12:29:57.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-11-20T17:47:23.000Z (about 2 years ago)
- Last Synced: 2024-10-12T07:26:39.905Z (3 months ago)
- Topics: applicationsecurity, appsec, appsecstudies, devsecops, insecuredesign, logicflaws, pentesting
- Homepage:
- Size: 276 KB
- Stars: 5
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# LFWF:BD - Logic Flaws Work Fine by Design
A collection of AppSec case studies on business logic flaws and insecure design scenarios.![image](https://user-images.githubusercontent.com/89562876/183073831-20a71b0e-4f88-4510-80bc-3c1396ef66d8.png)
## Overview
The first thing to be aware of here is: It is meant to be precisely what the name indicates: **Case studies** into how to look at the issues and possibly handle them in a less harmful fashion (and more creative one).Equally crucial to heads up that this project is a product of brainstorming and creativity and doesn't aim to offer bullet guns, magical formulas, or universal truths about how to approach AppSec, mainly because there is no such thing.
Instead, this is about ideas I've been polishing for a long time during my journey in information security. That said, this insight may also help you somehow, whether you're developing or testing application controls.
#### What about this name?
This synthesizes the own nature and motivation for this project. It's a kind reminder that logic flaws and insecure design issues could affect your business, clients, and the whole user experience. Still, in theory, everything will be just fine, according to the plan, no [detectable] vulnerabilities to be worried about.## Project Objectives
* Help software engineers and developers build secure controls avoiding logic pitfalls.
* Give pentesters, QAs, and bug hunters a detailed perspective about logic flaws and insecure designs.
* Provide case studies to reference research, secure coding practices, and security assessment.
* Provide a resource to enrich awareness initiatives focused on developers or incident response teams.
* Provide a cross-perspective of the issue considering the developer and attacker's points of view.
* Offer case study scenarios to enrich Threat Modeling process.
Available case studies in this first release:| **ID** | **Case study** | **Cases** | **Status** |
| :-----: | :-----: | :-----: | :-----: |
|**LFCS-01**|[Legitimate User Punished by Security Mechanism](https://github.com/s4dhulabs/LFWFBD/blob/main/Cases/LFCS-01.md)|1|Available ✔️
|**LFCS-02**|[Insecure Identity Validation Workflow](https://github.com/s4dhulabs/LFWFBD/blob/main/Cases/LFCS-02.md) |2|In progress :factory_worker:
|**LFCS-03**|[User Exposure by Verborragic Mechanism](https://github.com/s4dhulabs/LFWFBD/blob/main/Cases/LFCS-03.md) |2|In progress :factory_worker:
|**LFCS-04**|[Wrong Authorization Assumption](https://github.com/s4dhulabs/LFWFBD/blob/main/Cases/LFCS-04.md) |2|In progress :factory_worker:
_Soon we'll have a guide on how this project can be used from different perspectives and goals._