Module 7 · Business Logic Flaws

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 19, 2026
13 min read
Read as

Last updated: May 1, 2026

Race conditions, workflow manipulation, price/quantity attacks, coupon abuse, TOCTOU. The findings scanners cannot find. Pro module.
🎯 WEB APP PENTEST PATH
HARD
🔐 PRO
⏱ 120 min
Module 7 of 8

What you’ll learn

  • Why scanners cannot find business-logic flaws — and you can
  • Race conditions in financial operations — the technique that drains treasuries
  • Workflow manipulation — skipping steps, manipulating state transitions
  • Price, quantity, and currency manipulation patterns
  • Coupon, referral, and promotion abuse
  • Time-of-check vs time-of-use (TOCTOU) race conditions

Prerequisites: Modules 1–6. Familiarity with HTTP-level request manipulation in Burp Suite.

Business logic flaws are where the commercially-important findings live. Unlike SQL injection or XSS, they can’t be detected by scanners or generic rules — they require understanding of how the application is supposed to work and identifying where that logic breaks under hostile input.

The findings in this category tend to produce the largest direct financial impact. A race condition in a refund endpoint that lets an attacker withdraw the same credit twice. A workflow bypass that lets a user skip KYC. A price-manipulation vulnerability that accepts a negative quantity and pays the attacker. These bugs have cost real Indian fintechs real crores. Testing for them is the difference between a credible pentest and a scanner report.

The mental model

Business logic vulnerabilities are mismatches between the application’s intended flow and what its code actually enforces. The attacker asks: “What does this feature assume the user will do? What happens if they don’t?”

Examples:

  • The password-reset flow assumes the user will click the link once. What if they click it simultaneously from two devices?
  • The checkout assumes positive quantities. What if quantity is negative?
  • The coupon check assumes one coupon per order. What if two are applied in parallel requests?
  • The KYC workflow assumes step 1 completes before step 2. What if the attacker calls step 3 directly?
Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 6
Module 6 · IDOR & Authorization Bypass
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

How HTTP actually works at the wire level — methods, status codes, headers, cookies, TLS. The…

Apr 19, 2026 · 11 min read
Academy
Module 2 · Beginner

Subdomain enumeration, technology fingerprinting, directory brute-forcing, JavaScript bundle analysis, and Wayback reconnaissance.

Apr 19, 2026 · 11 min read
Academy
Module 3 · Beginner

Username enumeration, password spraying, credential stuffing, session attacks, JWT vulnerabilities, OAuth/SAML flaws, MFA bypasses.

Apr 19, 2026 · 11 min read