Post 9: Business Logic Attacks
Breaking the Rules That Developers Never Thought You’d Try
Business logic attacks exploit the intended behavior of an application in ways that developers didn’t anticipate. These aren’t technical misconfigurations like SQLi or XSS — they’re workflow flaws, authorization gaps, or assumptions gone wrong.
Table of Contents
- What Are Business Logic Vulnerabilities?
- Signs of Logic Flaws
- Common Attack Patterns
- Examples of Real-World Business Logic Bugs
- How to Test for Logic Issues
- Tools and Methodology
- Practice Labs
1. What Are Business Logic Vulnerabilities?
Business logic is the rules and workflows that define how an application behaves — things like:
- Who is allowed to do what
- In what order actions must happen
- What actions are allowed under certain conditions
When those rules can be bypassed or misused due to missing validation or poor assumptions, that’s a business logic vulnerability.
2. Signs of Logic Flaws
Watch out for:
- Price manipulation in e-commerce platforms
- Privilege escalation through hidden roles or parameters
- Unvalidated user actions (e.g., canceling a shipped order)
- Skipping steps in multi-step processes (e.g., payment → access)
- Over-reliance on client-side enforcement
- Insecure redirects, discounts, or reward systems
3. Common Attack Patterns
A. Bypassing Client-Side Validation
If a discount or role change is only enforced in JavaScript, it can be bypassed:
<script>document.getElementById('price').value = 0;</script>
Then intercept the request in Burp and send the discounted value directly to the server.
B. Forced Browsing and Privilege Escalation
Regular user accesses an admin page directly:
http://target.com/admin/delete_user.php?id=12
Even if there’s no visible “Admin Panel” button, the endpoint exists. Try accessing it directly, changing user IDs, or manipulating the role parameter.
C. Price Manipulation
Check requests during checkout:
POST /checkout
item_id=123&price=1.00
Change price=1.00 to 0.01. If the server doesn’t validate the price, you just made a big sale.
D. Skipping Steps in a Workflow
Multi-step flows like password reset or checkout can be vulnerable:
- Password reset token sent to email
- Verify token
- Set new password
What if you skip step 2 and go straight to 3? Or change another user’s token in the URL?
E. Reusing or Abusing Discount Codes
Some logic flaws let you apply the same code multiple times:
POST /apply_coupon
code=FREE100
Try resending it or changing quantity in the request.4. Examples of Real-World Business Logic Bugs
| Attack Vector | Outcome |
|---|---|
| Modify account number | Access another user’s data |
| Skip payment confirmation | Access premium features for free |
| Cancel shipped order | Receive refund and product |
| Modify role parameter | Become admin or editor |
| Abuse bulk discount | Buy single item at bulk price |
5. How to Test for Logic Issues
- Map out workflows manually: checkout, registration, password reset
- Test each step out of order or multiple times
- Try changing user ID numbers in requests
- Look for hidden fields:
role,amount,is_admin - Try using multiple sessions (one logged in as user A, one as B)
- Look at what happens when you cancel, resubmit, skip, or reuse
Always use Burp Repeater or Proxy to replay and modify these requests outside the UI.
6. Tools and Methodology
Manual Testing is Key
You won’t find logic flaws with scanners. You need to:
- Think like a malicious user
- Abuse the app’s intended flow
- Ask “what if I…?” at every step
Burp Suite
- Use Proxy to watch workflows
- Use Repeater to tamper with logic and replay requests
- Use Intruder to fuzz roles, coupon codes, IDs
Other Tools:
- Postman for replaying authenticated API flows
- Autorize (Burp plugin) for testing IDOR and access control issues
7. Practice Labs
- PortSwigger: Logic flaw labs (free and excellent)
- TryHackMe: OWASP Business Logic Room
- HackTheBox: Web challenges and boxes with logic bugs
- bWAPP: Business logic and IDOR modules
Checklist for Business Logic Testing
| Test | Description |
|---|---|
| Tamper hidden fields | Try role=admin, price=0 |
| Skip steps | Jump to final step in workflow |
| Replay requests | Try coupons, refunds, tokens again |
| Modify user IDs | Access or delete others’ data |
| Reorder process | Cancel after confirmation |
Coming Up Next
Post 10: Burp Suite for Web Pentesters
We’ll go deep into:
- Proxy, Repeater, Intruder, Decoder, Comparer
- Full workflow from recon to exploitation
- Burp extensions to supercharge your hacking