The Risk
A business logic flaw is a bug where each request is technically valid but the sequence or values violate the intended rules. There is no malformed input to flag, so automated scanners miss it. Examples include applying a discount more times than allowed, skipping a payment step in a multi stage flow, or moving negative quantities to gain value.
The danger is that the system does exactly what the code says, which is not what the business meant.
The Defense
- Model the intended states of a workflow and enforce valid transitions on the server, never trusting client order.
- Re check invariants such as totals being non negative and quantities being within limits at the point of action.
- Apply server side authorization and limits for every step, not only the first.
- Review flows with abuse cases, asking how a motivated user could reach an unintended outcome.
- Add monitoring for anomalies like repeated discount use.
Key idea
Enforce the intended workflow states and invariants on the server and review flows with abuse cases, since valid looking requests can still break business rules.