Automated scanners find injection and misconfiguration. They will never find a business logic flaw — a feature working exactly as coded, but the logic itself is exploitable. These bugs cause the largest real-world losses and only manual testing finds them.
Common logic-flaw patterns
- Price / quantity tampering: negative quantities that credit the cart, or client-side prices the server trusts.
- Race conditions: redeem one coupon, withdraw one balance, or use one OTP many times by firing concurrent requests.
- Workflow bypass: skip the payment step and hit the order-confirmation endpoint directly.
- Coupon / referral abuse: stack discounts or self-refer for unlimited credit.
- Privilege via logic: a “downgrade” flow that resets you to an over-privileged default.
The race-condition example
A balance check then a debit, without a lock, is a classic. Fire many concurrent requests so they all pass the check before any debit lands:
# Conceptually: 20 parallel withdrawals of the full balance
# Tools: Burp Repeater "send group in parallel" / Turbo Intruder
# If 5 succeed against a balance that should allow 1 -> race-condition logic flawHow to test for logic flaws
- Map the intended workflow, then ask “what if I do these out of order, twice, or with hostile values?”
- Test every money/credit/quota path for tampering and races.
- Re-test authorization at each step, not just at login.
- Think like the developer: where did they assume the client would behave?
Defences
Server-side validation of every value, idempotency keys and locks on money operations, and state-machine enforcement so steps cannot be skipped. RingSafe’s manual pentests are built around exactly this kind of logic testing. Talk to us.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.