Testing for Business Logic Vulnerabilities

业务逻辑漏洞测试

When to Use

使用场景

During authorized penetration tests when automated scanners have found few technical vulnerabilities
When assessing e-commerce platforms for pricing, cart, and payment flow manipulations
For testing multi-step workflows (registration, checkout, approval processes) for bypass opportunities
When evaluating rate-limited features like vouchers, coupons, referrals, and rewards systems
During security assessments of financial applications, voting systems, or any application with critical business rules

当自动化扫描器检测到极少技术漏洞时，在授权渗透测试中使用
评估电商平台的定价、购物车和支付流程操纵风险时
测试多步骤工作流（注册、结账、审批流程）是否存在绕过机会时
评估优惠券、代金券、推荐和奖励系统等有限制的功能时
对金融应用、投票系统或任何包含关键业务规则的应用进行安全评估时

Prerequisites

前提条件

Authorization: Written penetration testing agreement covering business logic testing
Burp Suite Professional: For intercepting and modifying multi-step request flows
Application understanding: Thorough knowledge of the application's intended business workflows
Multiple test accounts: Accounts at different privilege levels and states
Browser DevTools: For examining client-side validation logic
Documentation: Business requirements or user stories describing expected behavior

授权: 涵盖业务逻辑测试的书面渗透测试协议
Burp Suite Professional: 用于拦截和修改多步骤请求流
应用理解: 深入了解应用的预期业务工作流
多个测试账户: 不同权限级别和状态的账户
浏览器开发者工具: 用于检查客户端验证逻辑
文档: 描述预期行为的业务需求或用户故事

Workflow

工作流程

Step 1: Map Business Workflows and Rules

步骤1：绘制业务工作流和规则

Document all critical business processes and their expected constraints.

undefined

记录所有关键业务流程及其预期约束。

undefined

Critical business flows to map:

1. Registration/Onboarding flow

- Email verification requirements

- Account approval process

- Role assignment logic

2. E-commerce/Purchase flow

- Product selection → Cart → Checkout → Payment → Confirmation

- Price calculation logic

- Discount/coupon application

- Quantity limits

- Shipping cost calculation

3. Authentication/Authorization flow

- Login → MFA → Dashboard

- Password reset → Token → New password

- Role escalation/approval

4. Financial transactions

- Balance check → Transfer → Confirmation

- Withdrawal limits

- Currency conversion

Document expected constraints:

- Minimum order amounts

- Maximum quantity per item

- Coupon usage limits (one per user)

- Referral reward caps

- Withdrawal daily limits

- Account verification requirements before certain actions

undefined

undefined

Step 2: Test Price and Quantity Manipulation

步骤2：测试价格和数量操纵

Intercept and modify price, quantity, and total values in requests.

bash

undefined

拦截并修改请求中的价格、数量和总金额值。

bash

undefined

Test negative quantity

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"product_id": 1, "quantity": -1, "price": 99.99}'
"https://target.example.com/api/cart/add"

Test zero price

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"product_id": 1, "quantity": 1, "price": 0}'
"https://target.example.com/api/cart/add"

Test extremely large quantity

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"product_id": 1, "quantity": 999999999}'
"https://target.example.com/api/cart/add"

Test decimal/float manipulation

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"product_id": 1, "quantity": 0.001, "price": 0.01}'
"https://target.example.com/api/cart/add"

Test integer overflow

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"product_id": 1, "quantity": 2147483647}'
"https://target.example.com/api/cart/add"

Modify total amount directly in checkout request

Intercept in Burp and change total from 299.99 to 0.01

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"cart_id": "abc123", "total": 0.01, "payment_method": "card"}'
"https://target.example.com/api/checkout"

undefined

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"cart_id": "abc123", "total": 0.01, "payment_method": "card"}'
"https://target.example.com/api/checkout"

undefined

Step 3: Test Workflow Step Bypass

步骤3：测试工作流步骤绕过

Attempt to skip required steps in multi-step processes.

bash

undefined

尝试跳过多步骤流程中的必填步骤。

bash

undefined

Skip email verification

Instead of: Register → Verify email → Access dashboard

Try: Register → Access dashboard directly

curl -s -H "Authorization: Bearer $UNVERIFIED_TOKEN"
"https://target.example.com/api/dashboard"

Skip payment step

Instead of: Cart → Shipping → Payment → Confirmation

Try: Cart → Confirmation (skip payment)

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"cart_id": "abc123", "shipping_address": "123 Main St"}'
"https://target.example.com/api/orders/confirm"

Skip MFA step

Instead of: Login → MFA → Dashboard

Try: Login → Dashboard (skip MFA)

After successful password auth, directly access protected resources

Skip approval process

Instead of: Submit request → Manager approval → Access granted

Try: Submit request → Access granted (skip approval)

Repeat a step that should be one-time

Apply same coupon code multiple times

for i in $(seq 1 5); do curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"coupon_code": "DISCOUNT50"}'
"https://target.example.com/api/cart/apply-coupon" echo "Attempt $i" done

undefined

for i in $(seq 1 5); do curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"coupon_code": "DISCOUNT50"}'
"https://target.example.com/api/cart/apply-coupon" echo "Attempt $i" done

undefined

Step 4: Test Race Conditions in Business Logic

步骤4：测试业务逻辑中的竞争条件

Exploit timing windows in concurrent request processing.

bash

undefined

利用并发请求处理中的时间窗口。

bash

undefined

Race condition on coupon application

Send multiple identical requests simultaneously

for i in $(seq 1 10); do curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"coupon_code": "ONETIME50"}'
"https://target.example.com/api/cart/apply-coupon" & done wait

Race condition on balance transfer

If user has $100, try to transfer $100 to two accounts simultaneously

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"to": "user_b", "amount": 100}'
"https://target.example.com/api/transfer" &

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"to": "user_c", "amount": 100}'
"https://target.example.com/api/transfer" & wait

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"to": "user_b", "amount": 100}'
"https://target.example.com/api/transfer" &

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"to": "user_c", "amount": 100}'
"https://target.example.com/api/transfer" & wait

Race condition on reward claiming

Using Burp Turbo Intruder for precise timing:

1. Send request to Turbo Intruder

2. Use race condition script template

3. Send 20+ requests simultaneously

4. Check if reward was claimed multiple times

undefined

undefined

Step 5: Test Referral and Reward System Abuse

步骤5：测试推荐和奖励系统滥用

Find ways to exploit promotional features and reward mechanisms.

bash

undefined

寻找利用促销功能和奖励机制的方法。

bash

undefined

Self-referral: refer your own email

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"referral_email": "myown@email.com"}'
"https://target.example.com/api/referrals/invite"

Referral code reuse across multiple accounts

Create multiple accounts and use same referral code

Coupon stacking: apply multiple discount codes

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
-H "Content-Type: application/json"
-d '{"coupon_codes": ["SAVE10", "WELCOME20", "VIP50"]}'
"https://target.example.com/api/cart/apply-coupons"

Abuse free trial: re-register with same details

Test if email+1@domain.com or email@domain.com bypass duplicate detection

Gift card / credit manipulation

Buy gift card with gift card balance (circular)

Apply gift card with value > purchase price (get change as credit)

Test reward point manipulation

Earn points on order → Cancel order → Keep points

curl -s -X POST
-H "Authorization: Bearer $TOKEN"
"https://target.example.com/api/orders/12345/cancel"

Check if reward points from order 12345 were revoked

undefined

undefined

Step 6: Test Role and Permission Logic

步骤6：测试角色和权限逻辑

Assess authorization logic for privilege escalation through business processes.

bash

undefined

评估通过业务流程进行权限提升的授权逻辑。

bash

undefined

Role escalation via registration parameter

curl -s -X POST
-H "Content-Type: application/json"
-d '{"email":"test@test.com","password":"Test1234!","role":"admin"}'
"https://target.example.com/api/auth/register"

Organization tenant boundary testing

User in Org A tries to access Org B resources via business workflows

curl -s -X POST
-H "Authorization: Bearer $TOKEN_ORG_A"
-H "Content-Type: application/json"
-d '{"org_id": "org_b_id", "action": "view_reports"}'
"https://target.example.com/api/reports"

Test for privilege retention after role downgrade

Admin → Regular user: can they still access admin functions?

Employee → Terminated: can they still access company resources?

Test invitation/delegation abuse

Invite user with higher privileges than inviter has

curl -s -X POST
-H "Authorization: Bearer $REGULAR_TOKEN"
-H "Content-Type: application/json"
-d '{"email":"new@test.com","role":"admin"}'
"https://target.example.com/api/users/invite"

undefined

curl -s -X POST
-H "Authorization: Bearer $REGULAR_TOKEN"
-H "Content-Type: application/json"
-d '{"email":"new@test.com","role":"admin"}'
"https://target.example.com/api/users/invite"

undefined

Key Concepts

核心概念

Concept	Description
Business Logic Flaw	A vulnerability in the application's workflow or rules that allows unintended actions
Price Manipulation	Modifying price, quantity, or total values in client-side requests
Workflow Bypass	Skipping required steps in a multi-step business process
Race Condition	Exploiting concurrent request processing to violate business constraints
Privilege Escalation	Gaining higher permissions through business process manipulation
Negative Testing	Testing with unexpected values (negative, zero, null, extreme)
State Manipulation	Changing application state in an order not intended by the business logic

概念	描述
Business Logic Flaw	应用工作流或规则中存在的漏洞，允许执行非预期操作
Price Manipulation	在客户端请求中修改价格、数量或总金额值
Workflow Bypass	跳过多步骤业务流程中的必填步骤
Race Condition	利用并发请求处理违反业务约束
Privilege Escalation	通过业务流程操纵获得更高权限
Negative Testing	使用非预期值（负数、零、空值、极值）进行测试
State Manipulation	以业务逻辑未预期的顺序更改应用状态

Tools & Systems

工具与系统

Tool	Purpose
Burp Suite Professional	Request interception, modification, and sequence testing
Burp Turbo Intruder	High-speed request sending for race condition testing
Burp Sequencer	Token randomness analysis for predictable reference testing
OWASP ZAP	Open-source alternative for proxy-based testing
Postman	Workflow testing with collection runners and environment variables
Custom scripts	Python/bash scripts for automated business logic testing

工具	用途
Burp Suite Professional	请求拦截、修改和序列测试
Burp Turbo Intruder	高速发送请求以测试竞争条件
Burp Sequencer	分析令牌随机性以进行可预测性测试
OWASP ZAP	基于代理测试的开源替代工具
Postman	使用集合运行器和环境变量进行工作流测试
自定义脚本	用于自动化业务逻辑测试的Python/bash脚本

Common Scenarios

常见场景

Scenario 1: Coupon Code Stacking

场景1：优惠券叠加使用

An e-commerce site allows applying multiple coupon codes. By stacking "WELCOME10", "SAVE20", and "VIP30", the total discount exceeds the product price, resulting in a negative balance or free order.

电商网站允许应用多个优惠券代码。通过叠加"WELCOME10"、"SAVE20"和"VIP30"，总折扣超过产品价格，导致余额为负或免费下单。

Scenario 2: Race Condition on Fund Transfer

场景2：资金转账中的竞争条件

A banking application checks balance before transfer but does not lock the account. Sending two simultaneous $1000 transfers from a $1000 balance results in both succeeding, creating money from nothing.

银行应用在转账前检查余额但未锁定账户。从1000美元余额同时发送两笔1000美元转账，结果两笔都成功，凭空产生资金。

Scenario 3: Checkout Price Override

场景3：结账价格篡改

The checkout flow sends the total amount in the POST body. Intercepting and changing the total from $499.99 to $0.01 results in a successful order at the manipulated price.

结账流程在POST请求体中发送总金额。拦截并将总金额从499.99美元修改为0.01美元，成功以篡改后的价格完成订单。

Scenario 4: Password Reset Token Reuse

场景4：密码重置令牌重复使用

The password reset flow generates a one-time token but does not invalidate it after use. The same token can be used repeatedly to reset the password.

密码重置流程生成一次性令牌但在使用后未失效。同一令牌可重复用于重置密码。

Output Format

输出格式

undefined

undefined

Business Logic Vulnerability Finding

Vulnerability: Price Manipulation in Checkout Flow Severity: Critical (CVSS 9.1) Location: POST /api/checkout -

total

parameter OWASP Category: A04:2021 - Insecure Design

Vulnerability: Price Manipulation in Checkout Flow Severity: Critical (CVSS 9.1) Location: POST /api/checkout -

total

parameter OWASP Category: A04:2021 - Insecure Design

Reproduction Steps

Add item to cart (price: $499.99)
Proceed to checkout
Intercept POST /api/checkout request in Burp
Modify "total" from 499.99 to 0.01
Forward the request; order completes at $0.01

Add item to cart (price: $499.99)
Proceed to checkout
Intercept POST /api/checkout request in Burp
Modify "total" from 499.99 to 0.01
Forward the request; order completes at $0.01

Business Rules Violated

Rule	Expected	Actual
Server-side price calculation	Total computed server-side	Client-submitted total accepted
Coupon single use	One coupon per order	Same coupon applied 5 times
Negative quantity check	Quantity >= 1	Quantity -1 accepted (credit issued)
Race condition on transfer	Balance checked atomically	Dual transfer exceeded balance

Rule	Expected	Actual
Server-side price calculation	Total computed server-side	Client-submitted total accepted
Coupon single use	One coupon per order	Same coupon applied 5 times
Negative quantity check	Quantity >= 1	Quantity -1 accepted (credit issued)
Race condition on transfer	Balance checked atomically	Dual transfer exceeded balance

Impact

Financial loss: orders processed at attacker-controlled prices
Inventory loss: products shipped for $0.01
Reward abuse: unlimited referral credits via self-referral
Double-spending via race condition on transfers

Financial loss: orders processed at attacker-controlled prices
Inventory loss: products shipped for $0.01
Reward abuse: unlimited referral credits via self-referral
Double-spending via race condition on transfers

Recommendation

Perform all price calculations server-side; never trust client-submitted totals
Implement server-side validation for quantity (positive integers only)
Use database-level locks or atomic transactions for financial operations
Implement idempotency keys to prevent duplicate transaction processing
Rate-limit and log coupon applications, referral submissions, and transfers

undefined

Perform all price calculations server-side; never trust client-submitted totals
Implement server-side validation for quantity (positive integers only)
Use database-level locks or atomic transactions for financial operations
Implement idempotency keys to prevent duplicate transaction processing
Rate-limit and log coupon applications, referral submissions, and transfers

undefined

testing-for-business-logic-vulnerabilities

Original

Translation

Testing for Business Logic Vulnerabilities

业务逻辑漏洞测试

When to Use

使用场景

Prerequisites

前提条件

Workflow

工作流程

Step 1: Map Business Workflows and Rules

步骤1：绘制业务工作流和规则

Critical business flows to map:

Critical business flows to map:

1. Registration/Onboarding flow

1. Registration/Onboarding flow

- Email verification requirements

- Email verification requirements

- Account approval process

- Account approval process

- Role assignment logic

- Role assignment logic

2. E-commerce/Purchase flow

2. E-commerce/Purchase flow

- Product selection → Cart → Checkout → Payment → Confirmation

- Product selection → Cart → Checkout → Payment → Confirmation

- Price calculation logic

- Price calculation logic

- Discount/coupon application

- Discount/coupon application

- Quantity limits

- Quantity limits

- Shipping cost calculation

- Shipping cost calculation

3. Authentication/Authorization flow

3. Authentication/Authorization flow

- Login → MFA → Dashboard

- Login → MFA → Dashboard

- Password reset → Token → New password

- Password reset → Token → New password

- Role escalation/approval

- Role escalation/approval

4. Financial transactions

4. Financial transactions

- Balance check → Transfer → Confirmation

- Balance check → Transfer → Confirmation

- Withdrawal limits

- Withdrawal limits

- Currency conversion

- Currency conversion

Document expected constraints:

Document expected constraints:

- Minimum order amounts

- Minimum order amounts

- Maximum quantity per item

- Maximum quantity per item

- Coupon usage limits (one per user)

- Coupon usage limits (one per user)

- Referral reward caps

- Referral reward caps

- Withdrawal daily limits

- Withdrawal daily limits

- Account verification requirements before certain actions

- Account verification requirements before certain actions

Step 2: Test Price and Quantity Manipulation

步骤2：测试价格和数量操纵

Test negative quantity

Test negative quantity

Test zero price

Test zero price

Test extremely large quantity

Test extremely large quantity

Test decimal/float manipulation

Test decimal/float manipulation

Test integer overflow

Test integer overflow

Modify total amount directly in checkout request

Modify total amount directly in checkout request

Intercept in Burp and change total from 299.99 to 0.01