← Back to glossary

Business Logic Vulnerability

Security CWE-840 OWASP A4:2021 CVSS 7.5 Advanced

debt(d9/e7/b7/t9)

d9 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'silent in production until users hit it' (d9). The detection_hints explicitly state automated: no, and the misconception confirms that automated scanners miss these flaws entirely. Tools listed (phpstan, deptrac) catch structural placement issues but not the semantic correctness of business rules. Flaws like applying a discount twice or skipping a payment step are only discovered when users or attackers exploit them in production.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix states business rules must be moved into domain objects and use cases — away from controllers, templates, and stored procedures. The common_mistakes show the problem is systemic: client-submitted values trusted everywhere, multi-step workflow assumptions spread across the app, access control at the UI layer. This is not a single-file fix; it requires reorganising where business rules live across the entire codebase.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (e7). The term applies_to all contexts: web, cli, and queue-worker — broad reach. Business logic placement shapes every feature and workflow added to the system. Misplaced logic in controllers, templates, or triggers creates a persistent structural tax where every future developer must know which layer actually enforces rules, and every new feature risks adding more misplaced logic.

t9 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'catastrophic trap — the obvious way is always wrong' (t9). The misconception is explicit: developers believe automated scanners find business logic flaws, but they never do. The common_mistakes reinforce this — trusting client-submitted prices, assuming workflow order, implementing access control only at UI — all represent the intuitive approach that is systematically wrong. Competent developers routinely make these mistakes because the violations look like working code.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-06 · reviewed by human

Also Known As

business logic flaw logic vulnerability

TL;DR

Flaws in application workflow allow attackers to abuse legitimate features in unintended ways.

Explanation

Business logic vulnerabilities are not caused by coding errors like injection flaws but by incorrect assumptions about how users will interact with the application — such as assuming a multi-step workflow will always be followed in order, that prices are always positive, or that quantity fields won't accept negative values. These flaws are largely invisible to automated scanners because the logic is application-specific. They require careful threat modelling, code review, and test cases that explicitly verify invariants.

How It's Exploited

POST /checkout {"product_id": 42, "price": 0.01}
# If server trusts client price, attacker buys £500 item for 1p

Common Misconception

✗ Business logic flaws are found by automated scanners. They require understanding the intended workflow — scanners miss flaws like applying a discount twice or skipping a payment step entirely.

Why It Matters

Logic flaws are invisible to WAFs and scanners — they require understanding the application's intended behaviour to exploit, making them harder to detect and frequently more damaging.

Common Mistakes

Not testing negative flows: what happens if a user skips payment step, applies a coupon twice, or changes quantity after pricing?
Trusting client-submitted prices, totals, or discount codes without server-side recalculation.
Assuming multi-step workflows are always completed in order — attackers skip steps by crafting direct requests.
Implementing access control at the UI layer but not re-validating it in the API handler.

Code Examples

✗ Vulnerable

// Trusting client-supplied price
$item  = Product::find($req->product_id);
$price = $req->price;        // attacker sends price=0.01
Order::create(['price' => $price, 'product_id' => $item->id]);

✓ Fixed

// Always compute price server-side from authoritative source
$item  = Product::findOrFail($req->product_id);
$price = $item->currentPrice(); // from DB, not the request
Order::create(['price' => $price, 'product_id' => $item->id]);

// Apply discounts server-side too
$coupon = Coupon::findValid($req->coupon_code);
$final  = $coupon ? $coupon->applyTo($price) : $price;

Tags

owasp-top10 application-security testing

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 9 Ahrefs 7 Google 4 Perplexity 4 Scrapy 4 Unknown AI 3 SEMrush 3 ChatGPT 2 Claude 1 Meta AI 1 Bing 1

Also referenced

Input Validation vs Output Encoding 118 Insecure Direct Object Reference (IDOR) 56 Threat Modelling 48

How they use it

crawler 34 crawler_json 4 pre-tracking 1

Related categories

security 8k general 3k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: High

⚡ Quick Fix

Keep business rules in domain objects and use cases — not in controllers, not in database stored procedures, not in templates; business logic belongs where domain experts would recognise it

📦 Applies To

any web cli queue-worker

🔗 Prerequisites

Domain-Driven Design (DDD) Single Responsibility Principle Business Logic Abuse

🔍 Detection Hints

Business rules in controller action methods; price calculation in Blade/Twig template; order validation in database trigger

Auto-detectable: ✗ No phpstan deptrac

⚠ Related Problems

Domain-Driven Design (DDD) Anemic Domain Model (Anti-Pattern) Single Responsibility Principle

🤖 AI Agent

Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update