Misuse and abuse cases describe how users misuse or exploit the weaknesses of controls in software features to attack an application. This can lead to tangible business impact when a direct attack against business functionalities, which may bring in revenue or provide positive user experience, are attacked. Abuse cases can also be an effective way to drive security requirements that lead to proper protection of these critical business use cases.
When exploring the use of misuse and abuse cases, the seven touchpoints for software security are a great place to start understanding the foundation for the instances which we’ll discuss in this post. Below, we’ll delve into three cases of how to use abuse cases effectively to improve the security of an application’s business features.
The shopping cart use case
An online retailer plans to support an anonymous checkout and payment system whereby an anonymous user can enter a shipping address and payment details, place the order, and expect delivery without the customer needing to register an account.
In the design, when an item is added to the shopping cart, stock is reserved for that item. So if there were a total of 500 pairs of pants available, and someone adds a pair to their cart, there are now 499 pairs of pants available for other customers.
Abuse case #1
A user misuses the shopping cart by adding a large quantity of products without the intent to purchase
Reserving stock when a user adds items to their cart provides convenience to the user, at the risk of forfeiting buying opportunities for other users. The following security controls can be considered to mitigate the risk:
- Reserve stock once a user initiates the checkout process, rather than when they add items to their shopping cart. Supplement by communicating low-stock conditions to the user. For example, the delivery of a notification on the product page or a pop-up once an item has been added to the shopping cart to indicate that there are only “X” units left in stock.
- Limit the number of items allowed in the shopping cart. The limit can be a heuristic based on popularity. For example, a lower limit can be implemented for hot selling items allowed in the shopping cart.
- Implement timers on items added to the cart, or to the entire cart. Once the item or cart’s time limit expires, reserved stock is released back into the pool of available items.
- Support over-subscription through the implementation of a feature to compensate users whose orders couldn’t be fulfilled (e.g. guaranteed delivery on their next order, providing a discount or voucher, etc.).
- Monitor and release. If the stock inventory level is within a pre-defined threshold, alert should be raised immediately. Customer support should have a way to check on the related carts, reservation time, and reservation pattern. They should then be able to choose to terminate a suspicious reservation with the use of standardized customer communication or protocols to help manage customer expectations.
Abuse case #2
Denial of service attack with anonymous accounts
Attackers can take advantage of the anonymity of the shopping cart to perform an attack on the system by repeatedly starting the browser, creating a new cart, and reserving a large quantity of items. The monitor and release control explained above can help. Heuristic controls can also be considered:
- Implement tiered trust. Assign additional privileges to registered accounts, and fewer to anonymous accounts. For example, change the reservation limit and holding time based on registered/anonymous status.
- Use “likelihood to action” to prioritize inventory holding. Information such as referral headers, mouse movements [hot spot tracking], UA, PC resolution, IP range, geo data, and so on can be measured and used to inform a ”likelihood to action” analysis (based on historic sales data), which can lead to a decision whether or not to reserve that user’s stock.
Abuse case #3
Automated denial of service attacks using botnet or testing tools
Attackers may use botnets or testing tools to create shopping carts and reserve products periodically. This can exhaust the inventory with constant holdings. This risk can be mitigated with the following controls:
- Use a no-CAPTCHA reCAPTCHA control to prevent automated attacks.
- Subscribe to IP blacklist feeds and utilize IP “threat intelligence” to screen out automated botnet attacks.
- Rate limited to certain browser sessions on “suspicious” item reservation requests; for example, reserving many of a single item, adding many items to a cart in very short time frames [e.g. add greater than 1 item a second to the cart], or continuous periodical reservation requests from the same IP.
Misuse or abuse cases can be an effective tool to drive security requirements that protect business features or processes. By designing countermeasures against misuse or abuse cases, proper security controls can be identified. Since these controls are usually interwoven with business features, they need to be carefully assessed for their business impact. Common security principles and best practices, such as defense-in-depth, monitoring, detection, and prevention can be applicable and help define the proper security requirements and design the appropriate security controls.