Business Logic Vulnerabilities

Turning legitamate functionality into malicious purpose and elicting unintended behaviour are called business logic vulnerabilities. These flaws occur due to developers failing to anticipate unusual application states that may occur. Users can interact with the functionality in a way developers never intended. Different functionalities can be combined in unexpected ways. Always look at the same functionality from different perspectives.

changing product prices to negative values?
Able to increase decrease like, dislike on a comment by repeteadely sending request?
Web browser access was disabled on amazon kids tablet, but launching a kids application there was a link to privacy policy clicking it opened the policy page in browser from there clicking on other hyperlinks access to google web browser was possible.
chess.com uses websockets, in friendly match an individual can add 15 seconds for the opponent, but the attacker clicks on add 15 seconds button and changes 150 => 15 to 000 decreasing time for the opponent to zero.
Feature to invite users via email with custom message => phishing campaign?
Admin gives admin level permission to employee then changes back their permission level to normal employee they can still make changes to the organization with admin rights.
Intercepting a send money feature on a banking application then substituting senderACnumber with receiverACnumber and getting money on your own account.
Someone has blocked you on facebook? you cannot message them? If another(Third) person who is friend with both you and the person who blocked you creates group between you three and leaves the group you can still message the blocked person.
Response manipuation is also logical flaw.
Changing product quantity to negative values, suppose you have total $100 credit you want to buy a jacket of $200. Here, add one jacket to cart total price will be $200 here quantity of one pen is $10 then add -10 quantity of pen now the amount will be $200+(-$10*10) = $200 - $100 = $100
Always input long characters eg AAAAAAAAAAAAAAAAAAA... and check if the application truncates length. for example: if employee email is employee@company.com and you can only register with AAAAAAAAAAAAAAAAAAA@attacker.com if the application takes only upto 30 characters and truncates the rest then we may be able to register with 18 AAA characters 12 character of @company.com and .attacker.com AAAAAAAAAAAAAAAAAA@company.com.attacker.com
Maybe register with your normal email and later change your email to arbitary email eg: admin@company.com to access functionality for company's users.
Removing parameter and value entirely on a request eg: username=alex&current_password=test&new_password=vest here removing the parameter and values for current_password and changing the username to arbitary username?
Try diretly accessing certain step(request), skipping certain step, accessing single step more than once in a multi step process to complete a functionality. eg: placing order for a product of $10 sends request as GET /cart/confirm?confirmed=true. Suppose you have only $100 and you add product of $200 and click on place order and replace GET /cart/confirm?confirmed=true maybe it works?
10% discount on products over $100. What if order is changed after applying discount?

PreviousRace Conditions NextCommand Injections

Business Logic Vulnerabilities

changing product prices to negative values?
Able to increase decrease like, dislike on a comment by repeteadely sending request?
Web browser access was disabled on amazon kids tablet, but launching a kids application there was a link to privacy policy clicking it opened the policy page in browser from there clicking on other hyperlinks access to google web browser was possible.
chess.com uses websockets, in friendly match an individual can add 15 seconds for the opponent, but the attacker clicks on add 15 seconds button and changes 150 => 15 to 000 decreasing time for the opponent to zero.
Feature to invite users via email with custom message => phishing campaign?
Admin gives admin level permission to employee then changes back their permission level to normal employee they can still make changes to the organization with admin rights.
Intercepting a send money feature on a banking application then substituting senderACnumber with receiverACnumber and getting money on your own account.
Someone has blocked you on facebook? you cannot message them? If another(Third) person who is friend with both you and the person who blocked you creates group between you three and leaves the group you can still message the blocked person.
Response manipuation is also logical flaw.
Changing product quantity to negative values, suppose you have total $100 credit you want to buy a jacket of $200. Here, add one jacket to cart total price will be $200 here quantity of one pen is $10 then add -10 quantity of pen now the amount will be $200+(-$10*10) = $200 - $100 = $100
Always input long characters eg AAAAAAAAAAAAAAAAAAA... and check if the application truncates length. for example: if employee email is employee@company.com and you can only register with AAAAAAAAAAAAAAAAAAA@attacker.com if the application takes only upto 30 characters and truncates the rest then we may be able to register with 18 AAA characters 12 character of @company.com and .attacker.com AAAAAAAAAAAAAAAAAA@company.com.attacker.com
Maybe register with your normal email and later change your email to arbitary email eg: admin@company.com to access functionality for company's users.
Removing parameter and value entirely on a request eg: username=alex&current_password=test&new_password=vest here removing the parameter and values for current_password and changing the username to arbitary username?
Try diretly accessing certain step(request), skipping certain step, accessing single step more than once in a multi step process to complete a functionality. eg: placing order for a product of $10 sends request as GET /cart/confirm?confirmed=true. Suppose you have only $100 and you add product of $200 and click on place order and replace GET /cart/confirm?confirmed=true maybe it works?
10% discount on products over $100. What if order is changed after applying discount?

PreviousRace Conditions NextCommand Injections