Business Logic Abuse

What Is Business Logic Abuse?

Business logic vulnerabilities are flaws in the design or implementation of an application's workflows — not in the code syntax. Unlike SQL injection or XSS, these bugs cannot be detected by scanning for known payloads. They require understanding what the application is supposed to do and finding ways to make it do something it shouldn't.

AI-generated applications are especially prone to these bugs because AI tools focus on making features work, not on adversarial edge cases.

How It Works

Business logic flaws take many forms depending on the application:

Price Manipulation

POST /api/checkout
{"items": [{"id": "prod_abc", "quantity": -1, "price": 99.99}]}

A negative quantity reduces the total — some apps apply this as a credit, resulting in the attacker receiving money or free items.

Workflow Step Bypass

An e-commerce checkout has three steps: cart → payment → confirmation. An attacker skips directly to:

POST /api/orders/confirm
{"cart_id": "abc123"}

If the server doesn't verify payment was completed, the order ships without charge.

Privilege Escalation via Parameter Tampering

POST /api/profile/update
{"name": "Alice", "role": "admin", "plan": "enterprise"}

If the backend blindly accepts all fields from the request body, the user upgrades their own account.

Coupon / Promo Code Reuse

Racing concurrent requests to apply a single-use promo code before the server marks it as used — the code applies multiple times.

Real-World Impact

• Revenue loss — orders fulfilled without payment, discounts applied repeatedly
• Full account takeover — privilege escalation to admin
• Data access — bypassing subscription gates to access paid content
• Fraud — gift card balance doubling, loyalty point farming

How to Fix

Enforce workflow state server-side:

# Always verify previous step completed before proceeding
def confirm_order(order_id: str, user_id: str):
    order = db.get_order(order_id)
    if order.status != "payment_confirmed":
        raise HTTPException(403, "Payment not completed")
    if order.user_id != user_id:
        raise HTTPException(403, "Not your order")
    # proceed

Never trust client-supplied prices or roles:

# Wrong — trusting client price
item_price = request.json["price"]
 
# Right — always look up price from database
item = db.get_product(request.json["product_id"])
item_price = item.price

Use atomic database operations for single-use resources:

-- Atomic coupon claim — fails if already used
UPDATE coupons SET used_by = $1, used_at = NOW()
WHERE code = $2 AND used_by IS NULL
RETURNING id;

Strip non-whitelisted fields from user input:

ALLOWED_UPDATE_FIELDS = {"name", "email", "avatar_url"}
update_data = {k: v for k, v in request.json.items() if k in ALLOWED_UPDATE_FIELDS}

What VibeWShield Detects

VibeWShield's Business Logic Abuse module (Module 2) uses Claude AI to detect application-specific logic flaws:

1. Context detection — identifies your app type (e-commerce, SaaS, fintech, etc.) from discovered endpoints and page content
2. AI-planned test cases — Claude generates targeted test scenarios specific to your application's workflows
3. HTTP test execution — tests price manipulation, workflow skipping, field injection, and parameter tampering
4. AI result analysis — Claude reviews responses to identify actual logic flaws vs. expected behaviour

Findings are flagged as High or Critical depending on financial or access control impact.