Question

Application logic errors and broken access control vulnerabilities are quite different from those we’ve discussed so far. Most of the vulnerabilities covered in previous chapters are caused by faulty input validation: they happen when polluted user input is processed without proper sanitization. These malicious inputs are syntactically different from normal user input and are designed to manipulate application logic and cause damage to the application or its users.

应用程序逻辑错误和破坏访问控制漏洞与我们到目前为止所讨论的那些漏洞非常不同。前几章涵盖的大多数漏洞都是由于输入验证错误造成的：它们发生在未经适当清理的污染用户输入被处理时。这些恶意输入与正常用户输入在语法上有所不同，旨在操纵应用程序逻辑并对应用程序或其用户造成损害。

On the other hand, application logic errors and broken access control issues are often triggered by perfectly valid HTTP requests containing no illegal or malformed character sequences. Still, these requests are crafted intentionally to misuse the application’s logic for malicious purposes or circumvent the application’s access control.

另一方面，应用程序逻辑错误和破损的访问控制问题通常由完全有效的 HTTP 请求触发，不包含任何非法或格式错误的字符序列。然而，这些请求是有意制作出来的，以恶意目的滥用应用程序的逻辑或规避应用程序的访问控制。

Application logic errors are logic flaws in an application. Sometimes attackers can exploit them to cause harm to the organization, the application, or its users. Broken access control occurs when sensitive resources or functionality are not properly protected. To find these vulnerabilities, you cannot simply rely on your technical knowledge. Instead, you need to use your creativity and intuition to bypass restrictions set by the developers. This chapter explains these vulnerabilities, how they manifest in applications, and how you can test for them.

应用程序逻辑错误是应用程序中的逻辑缺陷。有时攻击者可以利用它们来对组织、应用程序或其用户造成伤害。破损的访问控制是指没有正确保护敏感资源或功能。要发现这些漏洞，您不能仅仅依赖您的技术知识。相反，您需要使用您的创造力和直觉来绕过开发人员设置的限制。本章介绍这些漏洞在应用程序中的表现，以及您如何测试它们。