← Back to glossary

Business Logic Abuse

security Advanced

Also Known As

business logic vulnerability workflow bypass price manipulation

TL;DR

Exploiting flaws in application workflows rather than technical vulnerabilities — bypassing payment steps, abusing discount codes, manipulating quantity fields, or racing concurrent requests.

Explanation

Business logic vulnerabilities use the application as designed but in unintended ways: negative quantities in carts (refund exploit), applying expired promo codes via replay, skipping mandatory workflow steps by manipulating URLs, race conditions on limited inventory, mass assignment of admin roles, or abusing referral systems. These are not caught by WAFs or standard security scanners because the requests are technically valid. Detection requires understanding the intended business flow and testing edge cases explicitly.

Common Misconception

✗ Security scanners catch business logic flaws — automated scanners test for technical vulnerabilities; business logic flaws require manual testing with domain knowledge of the application's intended behaviour.

Why It Matters

Price manipulation vulnerabilities have cost e-commerce companies millions — a $-1 item in a cart that passes checkout logic can result in credits being issued to attackers at scale.

Common Mistakes

Trusting client-submitted prices — always recalculate price server-side from the product database.
No rate limiting on discount code attempts — brute-forceable codes at scale.
Not validating workflow state transitions — user can jump from step 1 to step 5 by manipulating URLs.
Race conditions on inventory checks — check-then-act patterns allow overselling under concurrent load.

Code Examples

✗ Vulnerable

// Client-controlled price — exploitable:
POST /checkout
{"items": [{"id": 42, "qty": 1, "price": 0.01}]}
// Server trusts submitted price — charges $0.01 for $99 item

// Negative quantity exploit:
{"items": [{"id": 42, "qty": -1}]}
// Cart total becomes negative — store owes the attacker

✓ Fixed

// Always recalculate server-side:
public function checkout(array $items): Money {
    $total = Money::zero('GBP');
    foreach ($items as $item) {
        // Fetch price from DB — never trust client:
        $product = $this->products->findOrFail($item['id']);
        // Validate quantity is positive integer:
        $qty = max(1, (int) $item['qty']);
        $total = $total->add($product->price->multiply($qty));
    }
    return $total;
}

References

↗ https://portswigger.net/web-security/logic-flaws

Tags

security testing quality

Added 16 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 5 Google 4 Perplexity 3 Ahrefs 2 Unknown AI 2

Also referenced

Parameter Tampering 35 Insecure Direct Object Reference (IDOR) 30 Mass Assignment 25 Race Condition 23

How they use it

crawler 13 crawler_json 3

Related categories

security 4k concurrency 781

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: High

⚡ Quick Fix

Map out all valid state transitions in your domain and enforce them server-side — e.g. a cancelled order cannot be re-ordered; a refund cannot exceed the original payment

📦 Applies To

any web api

🔗 Prerequisites

Broken Access Control Input Validation vs Output Encoding Threat Modelling

🔍 Detection Hints

Price manipulation via parameter tampering; negative quantity in cart; applying discount codes multiple times; purchasing at old price after price change

Auto-detectable: ✗ No semgrep burpsuite

⚠ Related Problems

Broken Access Control Insecure Direct Object Reference (IDOR) Input Validation vs Output Encoding

🤖 AI Agent

Confidence: Medium False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update

CWE-840 CWE-841