Premise of business logic security risk

The premise of business logic implementation is ： Distinguish each user , Provide independent service content for each user , And allow the client to interact with the server .
Make effective authority division .
in the light of Web An application attack is a process from zero permission to the highest permission . The core goal of an attacker is to enhance his authority by various means , The greater the authority. , The more helpful it is to subsequent attacks .
Suppose that the website lacks authority management , It will lead to parallel ultra vires , Parallel ultra vires will cause great hidden dangers to the website .
Authority management is the core means of hierarchical management for website users , It directly determines the users of the website 、 The security of the administrator and the security of the website itself .
In recent years , Attacks against network logic problems have exploded , The core problem is to attack the logic of permission , therefore , The authority needs to be fully 、 Effective management .

because Web More roles in , And most of the roles' permissions are highly subdivided , Too detailed permission is also easy to bring inconvenience to website management , To solve this problem , It is generally recommended to divide from multiple perspectives , That is, hierarchical management authority .

1. Classification management ： Classify the future users of the website according to their feelings , Specific management for different types of users .
2. Decentralized management ： It can be further refined on the basis of classification management , Decentralized management can be used as a continuation of classified management .

The essence of user management is permission management .

The logic problem is mainly manifested in the overall execution process of the program , Business logic is relative to Web For the basic security of applications , Its main functions can only be completed through multiple steps .
As an attacker , If you log in to your own account , But it can be actually operated in various ways B account number , I can get it B Account permissions .