Business Logic & Abuse

Business Logic FlawsLogic BugsWorkflow Exploitation

Business Logic & Abuse vulnerabilities at a glance

What it is: Therse are vulnerabilities in the application's business rules and workflows that allow attackers to abuse legitimate functionality in unintended ways, like bypassing pricing, manipulating workflows, or exploiting race conditions.
Why it happens: Business logic cannot be detected by simple pattern matching and can often look like legitimate user behavior.
How to fix: The specific fixes will depend on the exact type of vulnerability, but generally you will need to have robust validation for any action - both individually and for their cumulative effects

Overview

Business logic vulnerabilities occur when application functionality can be used in ways the designers never intended, often through legitimate API calls and user actions. Unlike injection vulnerabilities that exploit technical weaknesses, business logic flaws exploit gaps in the application's rules and assumptions.

These vulnerabilities are particularly dangerous because they require understanding the specific business context and can't be detected through simple pattern matching. Attackers might purchase items at manipulated prices, skip required workflow steps, exploit timing windows between operations, or abuse features to cause financial loss.

sequenceDiagram participant Attacker participant App as App Server participant DB Attacker->>App: POST /checkout (manipulated price) App->>DB: INSERT order (price=-100) DB-->>App: Order created App-->>Attacker: 200 OK (negative total = credit) Note over App: Missing: Server-side price validation<br/>Missing: Business rule enforcement
A potential flow for a Business Logic & Abuse exploit

Where it occurs

Business logic flaws occur in application workflows that lack proper state management, server-side validation, or enforcement of business rules and assumptions.

Impact

Business logic vulnerabilities directly impact the bottom line through fraudulent transactions, inventory manipulation, unauthorized discounts, and service abuse.

Prevention

The specific approach to prevent these issues depends on the exact vulnerability, but generally you will need robust validation of any user action or input and double check that those align with the underlying business logic.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Pricing Exploits

Vulnerabilities that allow attackers to manipulate product prices, apply unauthorized discounts, or bypass payment requirements through business logic flaws.

Price Manipulation Discount Abuse Payment Bypass
2 code examples
Learn more →

Race Conditions

Two or more operations run concurrently and interleave in a way that violates assumptions, for example read-modify-write on shared state.

TOCTOU Concurrency Bugs
6 code examples
Learn more →

Workflow Abuse

Vulnerabilities in multi-step business workflows that allow attackers to skip required steps, access intermediate states, or manipulate the workflow sequence.

State Machine Bypass Process Manipulation Workflow Bypass
2 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies business logic & abuse and related vulnerabilities in your codebase.

Scan Your Code for Free