Advanced Exploitation Techniques
Business Logic Vulnerabilities
3 min read
Business logic bugs exploit flaws in application workflows, not code vulnerabilities. They're often missed by automated scanners and yield high bounties.
What Makes Business Logic Bugs Different
| Traditional Bugs | Business Logic Bugs |
|---|---|
| Exploit code vulnerabilities | Exploit process design flaws |
| Detectable by scanners | Requires manual testing |
| Technical exploitation | Understanding business context |
| Often documented (OWASP) | Unique to each application |
Common Categories
Price Manipulation
# E-commerce flow
1. Add item to cart (price: $100)
2. Intercept checkout request
3. Modify: {"price": 1, "quantity": 1}
4. Check if server validates price
# Coupon/discount abuse
POST /apply-coupon
{"code": "SAVE50", "quantity": 100} # Apply coupon 100 times?
# Currency confusion
# If $100 USD = €90 EUR
# Pay €90, receive $100 credit?
Workflow Bypass
# Skip verification steps
1. Normal: Register → Verify Email → Access
2. Attack: Register → Jump directly to access
# Test by:
# - Directly accessing URLs meant for later stages
# - Modifying state parameters
# - Removing/changing step identifiers
Account Takeover via Logic
# Password reset abuse
1. Request reset for victim@example.com
2. Request reset for attacker@example.com
3. Capture attacker's token
4. Modify token to target victim's account
# Linking/unlinking accounts
1. Link attacker's social account to victim's profile
2. Use social login as victim
Race Conditions
When timing matters more than logic:
# The attack
# If: Check balance → Process payment → Deduct balance
# Then: Send simultaneous requests before balance deducted
# Withdraw $100 twice from $100 account
# Both checks pass (balance=100)
# Both withdrawals process
# Result: -$100 balance (if no final check)
Testing Race Conditions
# Using Turbo Intruder (Burp Extension)
# Send 20+ identical requests simultaneously
# Using curl in parallel
for i in {1..20}; do
curl -X POST "https://example.com/withdraw" \
-d "amount=100" \
-H "Cookie: session=xxx" &
done
wait
# Key targets:
# - Balance operations
# - Coupon redemption
# - Vote/like systems
# - Inventory checkout
Single-packet Attack (2025 technique)
James Kettle's research at DEF CON 32:
# HTTP/2 allows multiple requests in single packet
# Server processes them truly simultaneously
# No network timing variance
# Burp Suite: "Send group in parallel (single-packet)"
# Effective even with sub-millisecond race windows
Limit Bypass
Circumventing restrictions:
# Rate limits
# Try: Different IP, User-Agent, Case variations
# api/v1/send-sms vs API/V1/SEND-SMS
# Download/usage limits
# Check if limits are client-side
# Modify session to reset counter
# Create new session mid-use
# Free tier limits
# Check if paid features accessible via direct API
Real-World Examples
| Company | Bug | Bounty |
|---|---|---|
| Shopify | Negative quantity checkout | $15,000 |
| Uber | Free rides via referral abuse | $10,000 |
| PayPal | Currency rounding exploit | $8,000 |
| HackerOne | Signal leaderboard manipulation | $5,000 |
Testing Methodology
- Map the business flow: Understand what the application is supposed to do
- Identify assumptions: What does the developer assume users will do?
- Break assumptions: Do the unexpected
- Test boundaries: Negative numbers, zero, MAX_INT
- Test timing: Can you do X before Y completes?
Exploitation Checklist
- Can you modify prices/amounts in requests?
- Can you skip required steps?
- Can you reuse tokens/codes?
- What happens with negative values?
- Are there race windows in multi-step operations?
- Can free accounts access paid features?
Pro Tip: Think like a fraudster, not a hacker. What would a malicious user trying to steal money do?
Next, we'll explore file upload and deserialization attacks. :::