CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Business Logic Vulnerability

security CWE-840 OWASP A4:2021 CVSS 7.5 Advanced

Also Known As

business logic flaw logic vulnerability

TL;DR

Flaws in application workflow allow attackers to abuse legitimate features in unintended ways.

Explanation

Business logic vulnerabilities are not caused by coding errors like injection flaws but by incorrect assumptions about how users will interact with the application — such as assuming a multi-step workflow will always be followed in order, that prices are always positive, or that quantity fields won't accept negative values. These flaws are largely invisible to automated scanners because the logic is application-specific. They require careful threat modelling, code review, and test cases that explicitly verify invariants.

How It's Exploited

POST /checkout {"product_id": 42, "price": 0.01}
# If server trusts client price, attacker buys £500 item for 1p

Common Misconception

Business logic flaws are found by automated scanners. They require understanding the intended workflow — scanners miss flaws like applying a discount twice or skipping a payment step entirely.

Why It Matters

Logic flaws are invisible to WAFs and scanners — they require understanding the application's intended behaviour to exploit, making them harder to detect and frequently more damaging.

Common Mistakes

  • Not testing negative flows: what happens if a user skips payment step, applies a coupon twice, or changes quantity after pricing?
  • Trusting client-submitted prices, totals, or discount codes without server-side recalculation.
  • Assuming multi-step workflows are always completed in order — attackers skip steps by crafting direct requests.
  • Implementing access control at the UI layer but not re-validating it in the API handler.

Code Examples

✗ Vulnerable 
// Trusting client-supplied price
\$item  = Product::find(\$req->product_id);
\$price = \$req->price;        // attacker sends price=0.01
Order::create(['price' => \$price, 'product_id' => \$item->id]);
✓ Fixed 
// Always compute price server-side from authoritative source
\$item  = Product::findOrFail(\$req->product_id);
\$price = \$item->currentPrice(); // from DB, not the request
Order::create(['price' => \$price, 'product_id' => \$item->id]);

// Apply discounts server-side too
\$coupon = Coupon::findValid(\$req->coupon_code);
\$final  = \$coupon ? \$coupon->applyTo(\$price) : \$price;
Added 15 Mar 2026
Edited 22 Mar 2026
Views 23

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 3 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 3 pings T 0 pings F 3 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W 1 ping T
Agents 1
No pings yesterday
Amazonbot 7 Ahrefs 5 Perplexity 4 Google 3 Unknown AI 3 ChatGPT 2
Also referenced
Input Validation vs Output Encoding 32 Insecure Direct Object Reference (IDOR) 30 Threat Modelling 19
How they use it
crawler 21 crawler_json 2 pre-tracking 1
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: High
⚡ Quick Fix
Keep business rules in domain objects and use cases — not in controllers, not in database stored procedures, not in templates; business logic belongs where domain experts would recognise it
📦 Applies To
any web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Business rules in controller action methods; price calculation in Blade/Twig template; order validation in database trigger
Auto-detectable: ✗ No phpstan deptrac
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update
✓ schema.org compliant