Business Logic Flaws
detect, understand, remediate
Business logic flaws exploit gaps between intended application behaviour and actual implementation, allowing attackers to bypass workflows, manipulate pricing, skip validation steps, or abuse functionality in unintended ways.
No credit card required. Free plan available forever.
What are business logic flaws?
Business logic flaws are vulnerabilities that arise from deficiencies in an application's design and implementation of its business rules, rather than from traditional technical weaknesses like injection or authentication bypass. These flaws occur when the application fails to properly enforce the intended workflow, validation constraints, or transactional integrity that the business process requires. Classified under CWE-840 (Business Logic Errors), they are among the most difficult vulnerability classes to detect because they do not follow predictable patterns and cannot be identified by signature-based scanning alone.
Unlike technical vulnerabilities that exploit code-level mistakes, business logic flaws exploit assumptions that developers make about how users will interact with the application. An attacker who understands the application's workflow can manipulate request sequences, skip mandatory steps, modify hidden parameters, or exploit race conditions to achieve outcomes that the developers never intended. Examples include purchasing items at negative prices, applying discount codes multiple times, bypassing payment steps in checkout flows, or escalating privileges through mass assignment of role fields.
The financial and operational impact of business logic flaws can be devastating. E-commerce platforms may lose revenue through price manipulation, SaaS applications may allow users to access premium features without payment, and fintech applications may permit unauthorized fund transfers. Because these vulnerabilities are specific to each application's unique business rules, they require deep understanding of the intended workflow and manual testing by skilled security professionals. Automated scanners can assist by identifying suspicious patterns, but human judgment is essential for confirming exploitability and assessing business impact using frameworks like the CVSS calculator.
How it works
Understand application workflow
The attacker maps the application's multi-step processes (checkout, registration, approval flows) to identify the expected sequence of operations and the assumptions behind each step.
Identify business rule assumptions
By analysing request parameters, hidden fields, and state transitions, the attacker identifies assumptions that the server relies on but does not explicitly validate, such as positive quantities or sequential step completion.
Craft rule-violating requests
The attacker sends requests that violate the expected flow: submitting negative prices, skipping verification steps, replaying discount codes, or modifying calculated totals before final submission.
Achieve unintended outcome
The server processes the manipulated request without detecting the logic violation, resulting in free purchases, unauthorized access, data manipulation, or financial loss for the business.
Common causes
Insufficient server-side validation
Relying on client-side validation for business rules (price calculations, quantity limits, discount eligibility) that the server does not independently verify, allowing attackers to bypass constraints by modifying requests.
Multi-step processes without state verification
Workflows that do not verify step completion order on the server, allowing users to skip mandatory steps like payment confirmation, identity verification, or approval stages.
Price and quantity manipulation
Accepting client-supplied values for prices, quantities, or totals without recalculating them server-side, enabling attackers to submit orders with modified amounts or negative values.
Coupon and discount stacking
Failing to enforce single-use constraints on promotional codes, allowing repeated application of the same coupon or stacking of multiple discounts beyond intended limits.
How to detect it
Automated detection
- SecPortal's authenticated scanning maps multi-step workflows and tests for step-skipping, parameter tampering, and boundary condition violations across discovered endpoints
- Workflow analysis detects state management inconsistencies by replaying requests out of order and comparing server responses for unexpected state transitions
- Custom test case execution allows security teams to define business-specific test scenarios that validate application-level constraints during automated scan runs
Manual testing
- Walk through each business workflow while intercepting requests, then replay them out of order or skip steps to see if the server enforces the expected sequence
- Test boundary values: submit negative quantities, zero-value payments, extremely large amounts, and decimal precision edge cases to find calculation errors
- Attempt to reuse single-use tokens (discount codes, invitation links, verification tokens) and check whether the server properly invalidates them after first use
How to fix it
Implement server-side validation of all business rules
Never trust client-supplied values for prices, quantities, totals, or eligibility. Recalculate all values server-side using authoritative data sources. Treat every client request as potentially manipulated.
Enforce state machine workflows
Model multi-step processes as explicit state machines on the server. Each transition should verify that the user has completed all prerequisite steps and that the current state permits the requested operation.
Add integrity checks on calculations
Use server-side recalculation for all financial operations. Compare submitted totals against server-computed values and reject transactions where discrepancies exist. Sign intermediate values with HMAC to detect tampering.
Implement comprehensive audit logging
Log all state transitions, financial operations, and business rule evaluations with full request context. Use anomaly detection to identify patterns that suggest business logic exploitation, such as repeated coupon usage or unusual purchase amounts.
Apply rate limiting to sensitive operations
Enforce rate limits on operations that could be abused through rapid repetition, such as coupon redemption, account creation, or promotional claim endpoints. This reduces the impact of automated exploitation.
Compliance impact
Related vulnerabilities
Test for business logic vulnerabilities
SecPortal combines automated scanning with structured pentest workflows to catch logic flaws that scanners alone miss. Start free.
No credit card required. Free plan available forever.