Business Logic Vulnerabilities

# Original request
POST /checkout
{"item_id": 1, "quantity": 1, "price": 100.00}

# Manipulated
{"item_id": 1, "quantity": 1, "price": 0.01}
{"item_id": 1, "quantity": 1, "price": -100.00}
{"item_id": 1, "quantity": 1, "price": 0}

<!-- Original -->
<input type="hidden" name="price" value="99.99">

<!-- Modify to -->
<input type="hidden" name="price" value="0.01">

# Lower value currency
{"price": 100, "currency": "USD"}
→ {"price": 100, "currency": "JPY"}  # 100 JPY << 100 USD

# Negative quantity
{"quantity": -1}  # Refund?

# Decimal quantity
{"quantity": 0.001}

# Integer overflow
{"quantity": 99999999999}

# Normal flow
/cart → /checkout → /payment → /confirm

# Skip to
/confirm?order_id=123 (skip payment)
/order/complete

# Multiple simultaneous requests
Thread 1: POST /checkout (item $100, balance $100)
Thread 2: POST /checkout (item $100, balance $100)
# Both succeed before balance updated

# Apply negative amount
{"gift_card_amount": -50}  # Adds credit

# Reuse one-time code
Apply same code multiple times

# Apply to different orders
Same promotional credit across orders

# Case sensitivity
SAVE20 = save20?

# Stacking coupons
Apply multiple exclusive discounts

# Expired code reuse
Modify expiry validation client-side

# Limited-use coupon
Simultaneous requests with same coupon
Both may succeed

# Referral codes
Use own referral on own account

# Affiliate codes
Apply self-referral discount

# E-commerce
Cart → Address → Payment → Confirm
↓
Jump directly to Confirm

# Registration
Email verify → Complete profile
↓
Skip verification, access profile

# Order status
{"status": "pending"} → {"status": "shipped"}

# Subscription
{"plan": "free"} → {"plan": "premium"}

# Replay successful transaction
Capture /process-payment response
Replay to complete new orders

# Mixed permissions
User is both "seller" and "buyer"
Create item as seller, buy as buyer with discount

# Hidden features enabled
?beta=true
?feature=premium
?debug=1

# Trial extension
Change trial end date
Modify subscription tier

# Unlimited trial
Keep creating new accounts

# Chunked upload
Split large file into small chunks

# Compression
Upload compressed, decompress on server (zip bomb)

# Content-Type manipulation
Upload .php with image/jpeg Content-Type

# Extension bypass
file.php.jpg
file.jpg.php
file.php%00.jpg

# Max files limit
Race condition: Upload simultaneously
Overwrite existing: Same filename

# Add item at wrong price
1. Add item at sale price
2. Wait for sale to end
3. Complete checkout at old price

# Out of stock items
Modify quantity parameter
Race condition during limited stock

# Reserved items
Access items reserved for others

# Free shipping threshold
Cart = $49, need $50 for free shipping
Add $1 item, get free shipping, cancel $1 item

# Multiple votes
Session manipulation
Cookie change
IP rotation
Create multiple accounts

# Submit after deadline
Modify timestamp
Race condition before close

# Add unexpected fields
POST /update-profile
{"name": "John", "role": "admin"}

# Mass assignment
Submit all user object fields

# String vs Integer
{"age": "25"} vs {"age": 25}

# Array vs String
{"id": "1"} vs {"id": ["1", "2"]}

1. Map all application workflows
2. Identify each step's purpose
3. Find trust boundaries
4. Note where validation occurs

□ Remove/modify parameters
□ Skip workflow steps
□ Replay previous requests
□ Test boundary conditions
□ Race condition testing
□ Negative value testing
□ Type manipulation

- What if I skip this step?
- What if I change this value?
- What if I do this twice?
- What if I use negative numbers?
- What assumptions does the app make?

- Payment processing
- Discount/coupon systems
- Subscription management
- Referral programs
- Credit/point systems
- Order processing
- Inventory management

1. Show financial impact
2. Calculate potential abuse scale
3. Demonstrate reproducibility
4. Show bypass of business rules

- Clear step-by-step reproduction
- Screenshot each step
- Show expected vs actual behavior
- Calculate business impact