Business Logic Cheat Sheet

Real-world business logic abuse techniques for authorized pentests, bug bounties, and CTFs: price/quantity tampering, workflow bypass, coupon abuse, privilege assumptions, and race conditions. (27 payloads)

Build custom Business Logic payloads in the Business Logic generator

Price & Quantity Manipulation

(5)

POST /cart/add
{"product_id":1337,"price":0.01,"qty":1}

Tamper with a client-supplied price field the server trusts instead of looking up the catalog price. If the order total reflects 0.01, the server failed to re-derive price server-side.Carts/checkout that echo price in the request body

POST /checkout
{"items":[{"sku":"A1","qty":-1,"price":100}]}

Negative quantity to invert the line-item total (qty * price = -100), which can credit the cart and reduce the grand total or trigger a refund. Test whether totals can go below zero.Order math that allows negative or signed quantities

POST /api/order
{"amount":1000.00,"currency":"VND"}  // then change to a weaker currency or omit it

Currency confusion: pay 1000 in a low-value currency while goods are priced in a high-value one, or omit currency so the server defaults to the cheaper unit. Confirm the charge currency matches the catalog currency.Multi-currency checkout / payment gateways

POST /cart/update
{"line_id":5,"qty":2,"unit_price":50,"line_total":1}

Send an inconsistent line_total that contradicts qty * unit_price. A server that trusts the precomputed total instead of recomputing it will undercharge.APIs that accept both unit price and precomputed totals

POST /checkout
{"price":99.99}  →  resend as {"price":99.999999}

Rounding/precision abuse: supply extra decimal places or values that round down to 0 (e.g. 0.004) so per-unit charges floor to zero while quantity stays high.Float-based pricing without server-side rounding rules

Parameter Tampering & Hidden Fields

(4)

POST /profile/update
user_id=1001&role=admin&[email protected]

Mass-assignment / over-posting: add fields the form never exposed (role, is_admin, account_balance) and check whether the server binds them blindly to the model.Frameworks with auto-binding (Rails, Spring, Laravel)

GET /api/v1/orders/1002 (your order is 1003)

IDOR via predictable identifiers: decrement/increment object IDs to access another tenant's resource. Always test with a second low-privilege account to confirm cross-account access.Sequential or guessable object references

PATCH /api/account
{"id":"<victim_uuid>","verified":true,"plan":"enterprise"}

Tamper with state/entitlement flags (verified, plan, tier, kyc_status) to grant yourself benefits the workflow should gate. Verify server re-checks ownership and authority.Entitlement and verification flags in request body

GET /export?format=pdf&account=ALL (was account=self)

Scope-widening parameter abuse: change a filter from self/own to ALL, *, or another account id to pull data beyond your authorization boundary.Reporting/export endpoints with scope params

Workflow & Step Bypass

(5)

Skip /checkout/step2 (payment) → POST /checkout/step3 (confirm) directly

Forced browsing through a multi-step flow: jump to the confirmation/fulfillment step without completing payment. Tests whether each step validates that prior steps succeeded.Multi-step checkout / onboarding wizards

POST /password/reset/confirm
{"token":"","user":"victim","new_password":"P@ss1"}

Reset-flow logic flaw: submit the final step with an empty/missing token or a token belonging to a different account to test step-binding and token-to-user enforcement.Password reset / email-verification flows

POST /order/12345/status
{"status":"shipped"}   (without paying)

State-machine bypass: drive an order straight to a privileged terminal state (paid, shipped, approved) skipping required transitions. Confirm allowed-transition checks exist.Order/ticket/approval state machines

Complete free trial signup → DELETE /subscription → re-POST /trial/start

Trial/limit reset abuse: cancel and restart to re-trigger a once-per-account benefit. Test whether the limit is keyed to a reusable identifier (email alias, device, payment token).Free trials, one-time offers, usage quotas

GET /cart?step=review → tamper shipping=FREE_EXPRESS then POST without re-validating cart

Time-of-check/time-of-use on cart contents: modify items, price, or shipping after the validation step but before the final commit. Check for cart re-validation at submit.Checkout where cart is validated early then committed

Coupon, Discount & Refund Abuse

(5)

POST /cart/coupon
{"code":"SAVE10"}  → repeat the request 3x

Coupon stacking / re-application: apply the same single-use code multiple times in one cart to multiply the discount. Confirm uniqueness is enforced per cart, not per click.Discount engines without idempotent application

POST /cart/coupon
{"code":"WELCOME20"}&{"code":"STUDENT15"}&{"code":"BLACKFRIDAY"}

Stack mutually-exclusive coupons to combine discounts that should not co-exist, potentially driving the total negative. Test for combination/exclusivity rules.Multiple-coupon carts

POST /giftcard/apply
{"code":"ABCD-1234","amount":50}  // server should derive amount

Gift-card/store-credit amount tampering: supply the redeem amount client-side hoping the server applies it without checking the card's real balance.Gift cards / store credit redemption

Place order with 100% coupon → request refund → keep goods/credit

Refund logic abuse: obtain a refund on an order that cost (near) nothing due to a discount, or refund to a different instrument than the one charged. Verify refunds cap at amount actually paid.Refund/return workflows

POST /coupon/validate {"code":"VIP50","min_spend":0}

Override discount eligibility conditions (min_spend, category, first_order_only) sent from the client so a restricted coupon applies where it should not.Client-supplied coupon eligibility constraints

Role, Privilege & Trust Assumptions

(4)

Cookie: role=user; → Cookie: role=admin;

Client-controlled authorization: flip a role/privilege stored in a cookie, JWT claim, or hidden field and check whether the server re-derives authority server-side.Authz decisions based on client-held state

JWT header: {"alg":"none"} with stripped signature, payload {"sub":"victim","role":"admin"}

Auth token logic flaw: test alg:none acceptance or unverified claims to assume another identity/role. Confirm the server enforces a fixed algorithm and verifies signatures.JWT-based sessions (verify lib config)

GET /admin/users with a normal user session (no UI link)

Function-level authorization gap: hit privileged endpoints directly that the UI hides from low-privilege users. Hidden in the UI is not the same as access-controlled.Admin/privileged endpoints lacking server-side authz

POST /api/transfer
{"from":"<victim_account>","to":"<my_account>","amount":100}

Missing ownership check: set the source/owner field to a resource you do not own. The server must bind actions to the authenticated principal, not a request-supplied owner.Funds/resource transfer with client-supplied owner

Replay & Race Conditions

(4)

Capture POST /giftcard/redeem → replay 10x concurrently (same code/token)

Race-condition double-spend: fire many concurrent identical requests so balance/limit checks read the same pre-decrement state (TOCTOU). Tools: Burp Turbo Intruder, ffuf, custom threads.Balance, voucher, and inventory decrements

POST /coupon/apply (single-use) → 20 parallel requests in one TCP burst (last-byte sync)

Single-packet/last-byte synchronization to make single-use limits apply multiple times. Confirm atomic/locked decrement or unique constraints under concurrency.Single-use codes, one-per-account limits

Capture signed payment callback → replay POST /payment/webhook unchanged

Replay a captured request/webhook lacking a nonce, timestamp, or idempotency key to repeat a privileged effect (mark paid, credit account). Verify replay protection and signature freshness.Payment/webhook callbacks without nonce/idempotency

Withdraw full balance: 5 concurrent POST /wallet/withdraw {"amount":<balance>}

Concurrent withdrawal race to exceed available balance / overdraw. Compare final ledger to expected: a vulnerable app lets total withdrawn exceed the starting balance.Wallets, points, inventory reservations

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Business Logic

Related Cheat Sheets

IDOR Cheat Sheet Race Condition Cheat Sheet API Security Cheat Sheet

Frequently asked questions

What is the Business Logic Cheat Sheet?+

It's a quick-reference collection of 27 Business Logic payloads for testing Business Logic vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Business Logic payloads?+

Copy any payload straight into your authorized test, or open the Business Logic generator to build customized Business Logic variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these Business Logic payloads free to use?+

Yes — this cheat sheet and all Business Logic payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Business Logic Cheat Sheet?+

How do I use these Business Logic payloads?+

Are these Business Logic payloads free to use?+

Yes — this cheat sheet and all Business Logic payloads are completely free, with no account required. Everything runs in your browser.