Business logic vulnerabilities¶
Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behaviour. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.
Business (application) logic flaws are often the most critical in terms of consequences, as they are deeply tied into the company’s process.
These vulnerabilities exist in about a third of apps because they are often overlooked by automated scanners.
Always test—automated tools miss these:
- Excessive trust in client-side controls
- High-level logic vulnerability
- Inconsistent security controls
- Flawed enforcement of business rules
- Low-level logic flaw
- Inconsistent handling of exceptional input
- Weak isolation on dual-use endpoint
- Insufficient workflow validation
- Authentication bypass via flawed state machine
- Infinite money logic flaw
- Authentication bypass via encryption oracle
Last update:
2025-05-12 14:16