🧪 Worked Example Lab: Business Logic Abuse in Trial and Promo Flows

Intro: This lab teaches reviewers to think like an abuse analyst, not only like a vulnerability scanner. The scenario is simple enough for newcomers and useful enough for senior reviewers to test prioritization judgment.

What this page includes

• a trial and promo abuse scenario
• what the reviewer should identify
• control recommendations
• scoring guidance

Scenario

A SaaS product allows one 14-day trial per organization. The product also issues a promotional coupon during signup. Trials are limited by account email, but not by organization identity, payment instrument, or business entity. Invite creation is not throttled, and coupon redemption is not tied to a verified billing state.

What a good reviewer should spot

• the attacker can create many organizations, not just many accounts;
• coupon and trial issuance can be combined into an abuse loop;
• invite flows can amplify the abuse or hide real operator identity;
• the system likely lacks the telemetry needed to measure the loss.

Better controls

• limit by a combination of organization, verified billing signals, and behavioral heuristics;
• tie coupon use to stronger business-state checks;
• throttle invite and organization creation workflows;
• alert on clusters of low-value or repetitive trial-creation patterns.

Related pages

• Signup, Trial, Promo, and Business-Flow Abuse
• Rate Limits, Quotas, Friction, and Detection

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.