BIPI
BIPI

Business Logic Flaws: A Practical Pentester Checklist

Cybersecurity

Business logic bugs do not show up on scanners. A field checklist for finding the flaws that turn workflows into wealth transfers.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 21, 2024 · 10 min read

#business-logic#pentesting#appsec#bug-bounty

Business logic vulnerabilities are the highest impact bugs that automated tooling will never find. They live in the gap between what the developer assumed users would do and what attackers actually do. The only way to find them is to model the workflow.

How to Model a Workflow

  • List every state the resource can occupy
  • List every transition between states and the auth required
  • Identify invariants the developer relies on, like price greater than zero
  • Map every input that influences a transition, including hidden fields and headers
  • Ask what happens if you skip, repeat, reverse, or parallelize a step

The Pentester Checklist

  1. Negative quantities: cart items, transfer amounts, loyalty points
  2. Currency mismatch: pay in one currency for an item priced in another
  3. Coupon stacking: combine codes that should be exclusive
  4. Role downgrade then upgrade to bypass approval queues
  5. Refund after partial fulfillment to net positive value
  6. Replay of confirmation tokens across users
  7. Skip OTP step by directly hitting the post-OTP endpoint
  8. Use a friend referral code on your own account
  9. Cancel an order in shipped state to keep goods and money

Trust Boundary Audits

Every parameter that crosses a trust boundary is suspect. Hidden form fields, JWT claims read without verification, mobile-only headers, and signed URLs with weak parameter binding are recurring sources of logic bypass.

Multi-Step Workflow Attacks

  • Complete steps out of order: submit step 5 directly with crafted state
  • Submit the same step twice with different values
  • Branch the workflow: start as user A, switch to user B mid-flow
  • Abandon and resume hours later when conditions changed
If you can describe the workflow in plain English, you can find the logic bug. Tooling cannot read the spec; you can.

Pricing and Discount Bugs

Coupon and discount logic is a goldmine. Test negative discounts, percentages above 100, expired codes via clock skew, currency confusion, and combinations the UI prevents but the API does not. Always replay the final price calculation endpoint with edited values.

Identity and Permission Bugs

  1. Replace user IDs in JSON bodies with admin IDs
  2. Set role fields the UI hides but the API accepts
  3. Combine two valid permissions to reach a third the system never intended
  4. Use legacy API versions that predate the current authz checks

Remediation Principles

  • Authoritative server-side state machine, never trust client step indicators
  • Idempotency keys and database constraints on all state changes
  • Recalculate price, tax, and totals server-side at the final step
  • Centralize authorization in one library used across all endpoints
  • Threat model every new workflow before shipping, not after
40%
of critical findings in BIPI engagements are logic bugs
0
scanners that find them reliably
1 spec read
best ROI activity before testing

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.