Portswigger Academy Business logic vulnerabilities Labs

Introduction

What?

Business (application) logic flaws are often the most critical in terms of consequences, as they are deeply tied into the company’s process.

Why?

Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behaviour. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.

How?

• Application logic errors and broken access control vulnerabilities

• Excessive trust in client-side controls

• High-level logic vulnerability

• Inconsistent security controls

• Flawed enforcement of business rules

• Low-level logic flaw

• Inconsistent handling of exceptional input

• Weak isolation on dual-use endpoint

• Insufficient workflow validation

• Authentication bypass via flawed state machine

• Infinite money logic flaw

• Authentication bypass via encryption oracle