Business Logic Flaw Testing: What Scanners Always Miss

Cybersecurity

Negative quantities, coupon stacking, and workflow skips do not appear in any signature database. Here's how to systematically test business logic and the server-side authority pattern that prevents the entire class.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 20, 2025 · 9 min read

Burp Active Scan and nuclei find injection bugs and misconfigurations. They cannot find the bug where adding a coupon twice gives 200 percent discount, or where setting quantity to negative one credits your account. Business logic flaws require human analysis of intent versus implementation, which is why they are still the highest ROI category on bounty programs.

How to test for it

Map every state-changing endpoint in the application, then enumerate the business rules that should govern it. For each rule, design a request that violates it. Document the expected outcome before sending the request, so you can recognize success when the violation produces an unintended effect.

• Quantity tampering: set quantity to 0, -1, 0.5, 99999999, and 1.0e308. Watch totals and inventory.
• Price tampering: when price is in the request body, change it to 0.01, to a negative number, or to a different currency code.
• Coupon stacking: apply the same coupon twice, two different coupons, expired plus active, percent on top of percent.
• Currency confusion: place an order in JPY, change to USD before payment, observe whether the dollar amount equals the yen number.
• Workflow skip: hit the order-confirmation endpoint without going through payment, or password-reset-complete without password-reset-request.
• Role tampering: change role from user to admin in the JSON body of a profile update.
• Voucher reuse: issue a refund as voucher, redeem it twice in parallel (the race condition crossover).
• Negative test: do exactly the documented happy path, then change one parameter at a time and observe.

Caido's HTTPQL queries help isolate every endpoint that takes a price or quantity parameter so you can sweep them systematically. For multi-step workflows, record the full sequence in Burp's Logger++ and then replay individual steps out of order or skipped entirely.

A taxonomy that helps

Most business logic bugs fit into four buckets. Authorization bugs (acting on resources you should not). State bugs (skipping or revisiting workflow steps). Numeric bugs (negative, zero, overflow, decimal precision). Concurrency bugs (race conditions on state, covered separately). Walk each bucket against each endpoint and you will find the bug.

Detection

Log every transaction with input amounts and computed totals. Alert on totals below cost basis, on negative line items, on coupon redemptions exceeding configured limits per user, and on state transitions that skip required prior states. Anomaly detection on order-value distributions catches the bulk-exploitation pattern even when individual requests look plausible.

Remediation

1. Make the server authoritative on every value that affects price, role, or state. Look up price by SKU server-side, never trust the body.
2. Validate ranges on every numeric input. Quantity must be integer, greater than zero, less than configured max. Reject everything else with a 400.
3. Enforce workflow state machines server-side. Track current state in the database, reject transitions that violate the allowed graph.
4. Apply coupon rules at the database level with constraints: unique constraint on (user_id, coupon_id) prevents double-redemption regardless of code path.
5. Recompute totals on the server using server-known prices and rules, then compare to client-asserted totals if any. Reject mismatches.
6. Treat every API endpoint as if it were called by an attacker with full knowledge of your schema. Authorize every field on every call.

If the client can change a value and the server respects it, that value is whatever an attacker wants it to be.

Validation

After fixes, re-run every documented violation and confirm rejection with a 400 plus structured error. Add property-based tests using hypothesis or fast-check that generate random inputs and assert invariants like totals never go negative, no user can redeem the same coupon twice, no order can complete without a confirmed payment. BIPI's business logic engagements deliver an invariant catalog you can encode as test fixtures and run on every deploy.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.