Business Logic Vulnerabilities, Application-Level Flaws, and How to Verify Them
Why this page exists: teams often know how to explain SQL injection or SSRF, but struggle to explain why a โfully authenticated, technically valid workflowโ can still be dangerous. This page gives AppSec reviewers a compact model for business logic and other application-level flaws that usually require manual verification.
What people mean by โbusiness logicโ in AppSec
Business logic vulnerabilities are weaknesses in how a productโs intended workflows, decisions, sequencing rules, limits, or state transitions behave under hostile use. They are different from classic implementation bugs because the attacker often uses valid functionality in an invalid business context.
In practical AppSec terms, this category overlaps with broader application-level vulnerabilities such as:
- workflow bypasses;
- object and tenant authorization mistakes;
- pricing, quota, and usage-rule abuse;
- race conditions and replay abuse;
- support/admin/recovery flow abuse; and
- server-side trust in client-controlled state.
A useful mental model is: if the attacker can stay inside normal product features and still create unauthorized business outcomes, you are likely looking at an application-level or business-logic flaw rather than only a technical implementation defect.
What sits inside this category
| Area | What breaks | Example shape | Why scanners miss it | What reviewers should ask |
|---|---|---|---|---|
| Workflow and state transitions | steps can be skipped, replayed, or reordered | user reaches โcompleteโ without passing required checks | the HTTP looks valid | what order is required, and what is enforced server-side? |
| Server-side integrity rules | the server trusts price, role, quantity, limit, or state from the client | hidden fields or API body values override authoritative values | the payload is syntactically correct | which values are authoritative on the server? |
| Object / tenant authorization | access is valid at the endpoint level but wrong for the specific object | account can operate on another tenantโs invoice, export, or token | auth exists, but object checks are weak | where is object ownership or tenant scope enforced? |
| Concurrency and race conditions | duplicate or conflicting actions succeed | double refund, coupon double-spend, duplicate payout | timing matters more than payload shape | what happens if the action is replayed in parallel? |
| Economic / usage abuse | business constraints can be gamed profitably | trial reset, discount stacking, quota evasion | the flow is โworking as designedโ from a technical lens | what can a rational attacker automate for profit? |
| Recovery / support / admin abuse | secondary workflows become privilege-escalation paths | invite flow, support override, recovery token misuse | the weakness sits in operations logic | which non-primary flows can change authority or state? |
Verification: how to test this category
Business logic flaws usually need manual, scenario-based verification. A practical review flow is:
- map the workflow and the intended business invariants;
- identify the valuable state changes, approvals, or limits;
- replay the flow with steps skipped, reordered, repeated, or parallelized;
- tamper with hidden, derived, or client-visible values;
- test the same action across tenant, role, and lifecycle boundaries; and
- confirm that server-side logs and audit records make abuse visible.
Good verification tasks
- forge or replay requests instead of trusting the UI;
- test whether hidden or โread-onlyโ values can still influence server behavior;
- retry the same action concurrently to test idempotency and race handling;
- test negative paths such as expired approvals, changed pricing, revoked roles, or stale sessions;
- follow admin, support, invite, export, refund, recovery, and reconciliation flows instead of only the โhappy path.โ
Common verification cues
| Signal | Why it matters | Typical follow-up |
|---|---|---|
| client sends price, discount, limit, role, or state | likely integrity problem | make the server recompute authoritative values |
| UI prevents a step but API does not | likely workflow bypass | send the terminal action directly |
| async workers finalize actions later | good place for hidden race or auth gaps | test retries, out-of-order events, and stale jobs |
| business rule is described only in docs or product tickets | often missing in code | ask where it is enforced and logged |
| support/admin path is โtemporaryโ or โmanualโ | high chance of exception becoming attack path | test impersonation, override, bulk actions, and exports |
Simplified real-world-style cases
Case 1: refund before return verification
A commerce platform allows a support workflow to issue a refund while the return-inspection state is still โpendingโ. A normal user cannot see this path, but a customer can replay the refund request after the ticket is opened and before the inspection system updates state. The platform technically authenticates the user correctly, but the business invariant โrefund only after verified return stateโ is not enforced server-side.
Verification idea: open the workflow in the UI, then send the terminal refund request early through a proxy or parallel API call. Confirm whether the server recomputes the return state or trusts the request context.
Case 2: invite flow creates unintended admin scope
A B2B product uses invitation links for fast onboarding. The invite token is meant to grant membership to one workspace, but an older backend path interprets the token as authority to choose a role and workspace during finalization. No classic injection exists; the flaw is that the workflow grants too much decision power at the wrong step.
Verification idea: capture the invite finalization request, change workspace or role identifiers, and test whether the server binds the token to a single intended target or accepts client-chosen scope.
Case 3: coupon and credit race in checkout
A subscription flow applies a promotional credit once per account. Two near-simultaneous checkout attempts both validate successfully, causing a duplicate credit application and an under-billed order. The bug is not in input validation; it is in concurrency and state commitment.
Verification idea: fire parallel requests that claim the same reusable asset (coupon, credit, seat, withdrawal, invite, export token) and verify whether atomic state transitions or idempotency keys prevent duplicate success.
What usually fixes the problem
- make the server authoritative for price, state, role, quantity, and eligibility;
- encode business invariants as explicit server-side checks;
- bind tokens, approvals, and state changes to the correct object, tenant, and lifecycle stage;
- use idempotency keys, locking, or atomic updates for one-time or monetary actions;
- treat support, admin, recovery, invite, and export flows as first-class attack surfaces;
- log security-relevant state changes so verification and abuse detection are possible later.
Best-practice references
Keep the KB concise and link out for deeper testing detail:
- OWASP Business Logic Vulnerability
- OWASP WSTG โ Business Logic Testing
- OWASP WSTG โ Test Integrity Checks
- OWASP WSTG โ Test Ability to Forge Requests
- OWASP Top 10 for Business Logic Abuse