Business Logic Errors

Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. There are various cases where these errors can result in enormous business losses.

Except for IDOR, there are many other types of Business Logic Errors, this needs trials and errors to find out what the business logic error is.

Examples

• Business Logic Flaw - A non premium user can change/update retailers to get cashback on all the retailers associated with Curve: Intercept Response using Burp, and then can see the whole page.
• Account recovery text message is sending a wrong domain to users
• Rounding errors on rewarding a bounty leads to bypassing the 20% H1 commission fee
• IDOR in sending support email upon Verifying user business domain - modify the email and phoneNumber parameter. This is will send an email you a target user and let you add a malicious link in the email.
• Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance: when requesting a ride, it was possible to intercept the request and forward it with 3 random characters at the end of the paymentProfileUuid parameter. This would cause the ride to disappear from both the Rider and Driver’s trip history, the Rider would not be charged, and the Driver would not receive payment for the trip.
• Potential to abuse pricing errors in saved carts
• Abusing “Report as abuse” functionality to delete any user’s post.

Reference

• Business logic vulnerability
• Business logic Errors need know