🧠 Business Logic Flaws

Understand how logic vulnerabilities break application workflows and how to detect them

What Are Business Logic Flaws?

Business logic flaws are vulnerabilities caused by incorrect implementation of the application's intended behavior. They are not caused by coding bugs, but rather by flawed assumptions about how users will interact with the system. These flaws can lead to severe consequences such as bypassing payment flows, privilege escalation, or abuse of discounts and limits.

🧩 Key Concepts

πŸ” Real-World Examples

1. Skipping Payment Step

A user modifies a request to change the status of an order to β€œpaid” without completing the payment process. 

POST /checkout/complete
order_id=789&payment_status=paid

πŸ’₯ Impact: The system marks the order as paid without validating the actual transaction.

2. Abuse of Discount Logic

A site allows a discount coupon once per user. By registering multiple accounts or manipulating the user ID in requests, the same coupon can be reused. 

POST /apply-coupon
user_id=1002&coupon=SUMMER50

πŸ’₯ Impact: Business suffers financial loss from uncontrolled discounts.

3. Bypassing Access Control

A user requests another user’s invoice by changing the ID in the URL: 

GET /invoices/view?id=401

πŸ’₯ Impact: Sensitive financial data is exposed due to missing logic validation on ownership.

πŸ§ͺ How to Test for Business Logic Flaws

  1. Understand the intended business flow by using the application as a normal user.
  2. Analyze edge cases: incomplete steps, wrong sequences, replaying requests.
  3. Tamper with parameters, skip steps, or modify HTTP methods.
  4. Use tools like Burp Suite Repeater/Intruder to simulate variations.
  5. Test multi-user scenarios (e.g., impersonation, privilege boundaries).

πŸ’‘ Actionable Tips

πŸ“š Recommended Resources