Business Logic Vulnerabilities
Excessive trust in client-side controls
in this case developer assume that user will interact with app via web interface only hence he validates inputs in client side only .
Contexts example :
baskets in online markets
2FA "two factor authentication"
Failing to handle unconventional input
Contexts example :
negative input on shop card
null attack to break items limit
truncate input to fit variable "over load input"
Making flawed assumptions about user behavior
Contexts example :
update normal email to corporate domain with out validation
Users won't always supply mandatory input
Contexts example :
delete current password field when reset password
Users won't always follow the intended sequence
/cart/order-confirmation?order-confirmation=true
if we add items after this transaction and resend it may be accepteddrop user-role request and developer set it admin by default
Domain-specific flaws
use coupons more than one time by alter between two coupons
buy an infinite gift cards repeat process using burp macros
Last updated