Business Logic Abuse in APIs: The Vulnerabilities Scanners Can't Find
Why Scanners Miss Business Logic Flaws
Automated security scanners (SAST, DAST, IAST) excel at finding technical vulnerabilities — SQL injection, XSS, missing headers. But they fundamentally cannot understand your business rules. A business logic vulnerability exists when an API allows actions that are technically valid but violate the intended business workflow.
Definition: A business logic vulnerability occurs when an attacker exploits legitimate application functionality in unintended ways to achieve a malicious goal. The requests are well-formed, authenticated, and pass all input validation — but the outcome violates business intent.
The Cost of Business Logic Abuse
| Metric | Value | Source |
|---|---|---|
| E-commerce revenue lost to business logic abuse | $48B annually | Juniper Research 2025 |
| Financial services API fraud from logic flaws | $12B annually | Javelin Strategy 2025 |
| Loyalty/rewards program abuse | $3.1B annually | Loyalty Security Alliance |
| Average time to detect logic abuse | 96 days | Imperva 2025 |
| Logic abuse attacks blocked by traditional WAF | < 5% | Salt Security 2025 |
The 10 Most Common Business Logic Abuses
1. Price Manipulation
Attack: Modify prices in API requests before checkout.
# Legitimate request
POST /api/checkout
{ "items": [{ "id": "laptop-001", "price": 999.99, "qty": 1 }] }
# Attack — Client sends modified price
POST /api/checkout
{ "items": [{ "id": "laptop-001", "price": 0.01, "qty": 1 }] }
Fix: Never trust client-sent prices. Always look up prices server-side.
async function checkout(req: Request) {
const cart = req.body.items;
// Look up REAL prices from database for each item
const priced = await Promise.all(
cart.map(async (item: any) => {
const product = await Product.findById(item.id);
return {
productId: product.id,
price: product.currentPrice, // From database, NOT from client
quantity: Math.min(item.qty, product.stockCount),
};
})
);
const total = priced.reduce((sum, i) => sum + i.price * i.quantity, 0);
return processPayment(total, priced);
}
2. Coupon / Discount Stacking
Attack: Apply the same coupon multiple times or combine coupons that shouldn't stack.
| Business Rule | What Attacker Does | Prevention |
|---|---|---|
| One coupon per order | Sends multiple coupon codes in array | Validate coupon count server-side |
| Coupon expires after use | Rapid concurrent requests with same coupon | Atomic coupon redemption (DB lock) |
| Coupons don't stack | Applies % off + $ off + referral code | Mutual exclusion logic on coupon types |
| Minimum purchase amount | Applies coupon, then removes items | Re-validate coupon at payment time |
3. Race Conditions
Attack: Send concurrent requests to exploit time-of-check-to-time-of-use (TOCTOU) vulnerabilities.
# User has $100 balance
# Sends 5 simultaneous requests to transfer $100
T0: Request 1 → Check balance: $100 ✓ → Process transfer
T0: Request 2 → Check balance: $100 ✓ → Process transfer
T0: Request 3 → Check balance: $100 ✓ → Process transfer
T0: Request 4 → Check balance: $100 ✓ → Process transfer
T0: Request 5 → Check balance: $100 ✓ → Process transfer
Result: $500 transferred from $100 balance!
Fix — Use database-level atomic operations:
// VULNERABLE — Read-then-write race condition
const user = await User.findById(userId);
if (user.balance >= amount) {
user.balance -= amount;
await user.save();
}
// SECURE — Atomic database operation
const result = await User.findOneAndUpdate(
{
_id: userId,
balance: { $gte: amount }, // Check AND update atomically
},
{
$inc: { balance: -amount },
},
{ new: true }
);
if (!result) {
throw new Error("Insufficient balance");
}
4. Enumeration / Scraping
Systematic crawling of API endpoints to extract entire datasets.
5. Workflow Bypass
Skipping required steps by calling API endpoints out of order.
Normal flow: Select Item → Add to Cart → Enter Shipping → Enter Payment → Confirm
Attack: Skip payment step by directly calling /api/orders/confirm
Prevention: Implement a state machine for multi-step workflows. Each API endpoint verifies the current state before proceeding.
6. Loyalty Points Manipulation
7. Excessive Function Execution
8. Feature Flag Abuse
9. Free Tier Abuse
Creating unlimited accounts to abuse free tiers.
10. Review / Rating Manipulation
Detection Strategies
Behavioral Analysis
Since individual requests look legitimate, detection requires analyzing sequences of requests:
| Signal | What It Indicates |
|---|---|
| User completes checkout in < 2 seconds | Automated bot, not human |
| Same coupon code attempted 100x in 1 minute | Coupon brute-forcing |
| Account creation from same device fingerprint | Free-tier abuse / Sybil attack |
| API calls skip expected workflow steps | Workflow bypass attempt |
| 1000 requests to /api/products with incrementing IDs | Product catalog scraping |
Anomaly Detection Approach
Baseline (learn normal):
- Average checkout time per user: 3-10 minutes
- Average coupon applications per order: 0.3
- Average API calls per session: 15-25
- Payment attempt success rate: 87%
Alert when:
- Checkout time < 5 seconds (bot behavior)
- Coupon applications per order > 1 (stacking attempt)
- API calls per session > 100 (enumeration)
- Payment attempt success rate < 10% (card testing)
Prevention Architecture
| Layer | Control | Purpose |
|---|---|---|
| API Gateway | Rate limiting, bot detection | Block high-volume abuse |
| Application | State machine enforcement, atomic operations | Prevent workflow bypass and race conditions |
| Business Rules Engine | Coupon logic, pricing validation | Enforce business constraints |
| Behavioral Analytics | Sequence analysis, anomaly detection | Detect sophisticated abuse |
| Manual Review | Flagged transactions for human review | Catch edge cases |
Further Reading
- API Security Trends 2026 — Broader API threat landscape
- OWASP API Security Top 10 — API6: Unrestricted Access to Sensitive Business Flows
- Secure API Design Patterns — Building secure APIs from the start
Advertisement
Free Security Tools
Try our tools now
Expert Services
Get professional help
OWASP Top 10
Learn the top risks
Related Articles
OWASP Top 10 2025: What's Changed and How to Prepare
A comprehensive breakdown of the latest OWASP Top 10 vulnerabilities and actionable steps to secure your applications against them.
Secure API Design Patterns: A Developer's Guide
Learn the essential security patterns every API developer should implement, from authentication to rate limiting.
The Ultimate Secure Code Review Checklist for 2025
A comprehensive, actionable checklist for conducting secure code reviews. Covers input validation, authentication, authorization, cryptography, error handling, and CI/CD integration with real-world examples.