{
    "slug": "business_logic_abuse",
    "term": "Business Logic Abuse",
    "category": "security",
    "difficulty": "advanced",
    "short": "Exploiting flaws in application workflows rather than technical vulnerabilities — bypassing payment steps, abusing discount codes, manipulating quantity fields, or racing concurrent requests.",
    "long": "Business logic vulnerabilities use the application as designed but in unintended ways: negative quantities in carts (refund exploit), applying expired promo codes via replay, skipping mandatory workflow steps by manipulating URLs, race conditions on limited inventory, mass assignment of admin roles, or abusing referral systems. These are not caught by WAFs or standard security scanners because the requests are technically valid. Detection requires understanding the intended business flow and testing edge cases explicitly.",
    "aliases": [
        "business logic vulnerability",
        "workflow bypass",
        "price manipulation"
    ],
    "tags": [
        "security",
        "testing",
        "quality"
    ],
    "misconception": "Security scanners catch business logic flaws — automated scanners test for technical vulnerabilities; business logic flaws require manual testing with domain knowledge of the application's intended behaviour.",
    "why_it_matters": "Price manipulation vulnerabilities have cost e-commerce companies millions — a $-1 item in a cart that passes checkout logic can result in credits being issued to attackers at scale.",
    "common_mistakes": [
        "Trusting client-submitted prices — always recalculate price server-side from the product database.",
        "No rate limiting on discount code attempts — brute-forceable codes at scale.",
        "Not validating workflow state transitions — user can jump from step 1 to step 5 by manipulating URLs.",
        "Race conditions on inventory checks — check-then-act patterns allow overselling under concurrent load."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "race_condition",
        "mass_assignment",
        "parameter_tampering",
        "idor"
    ],
    "prerequisites": [
        "broken_access_control",
        "input_validation",
        "threat_modelling"
    ],
    "refs": [
        "https://portswigger.net/web-security/logic-flaws"
    ],
    "bad_code": "// Client-controlled price — exploitable:\nPOST /checkout\n{\"items\": [{\"id\": 42, \"qty\": 1, \"price\": 0.01}]}\n// Server trusts submitted price — charges $0.01 for $99 item\n\n// Negative quantity exploit:\n{\"items\": [{\"id\": 42, \"qty\": -1}]}\n// Cart total becomes negative — store owes the attacker",
    "good_code": "// Always recalculate server-side:\npublic function checkout(array $items): Money {\n    $total = Money::zero('GBP');\n    foreach ($items as $item) {\n        // Fetch price from DB — never trust client:\n        $product = $this->products->findOrFail($item['id']);\n        // Validate quantity is positive integer:\n        $qty = max(1, (int) $item['qty']);\n        $total = $total->add($product->price->multiply($qty));\n    }\n    return $total;\n}",
    "quick_fix": "Map out all valid state transitions in your domain and enforce them server-side — e.g. a cancelled order cannot be re-ordered; a refund cannot exceed the original payment",
    "severity": "high",
    "effort": "high",
    "created": "2026-03-16",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/business_logic_abuse",
        "html_url": "https://codeclaritylab.com/glossary/business_logic_abuse",
        "json_url": "https://codeclaritylab.com/glossary/business_logic_abuse.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Business Logic Abuse](https://codeclaritylab.com/glossary/business_logic_abuse) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/business_logic_abuse"
            }
        }
    }
}