Business logic flaws are defects in an application's workflow rules — not in its code syntax — that let an attacker manipulate legitimate features to produce illegitimate outcomes: negative-quantity refunds, stacked coupons, wallet double-spends, or skipping a payment step entirely. Automated scanners cannot find them because there is no malformed payload to signature-match against; every request is syntactically valid. Finding them requires a tester who understands what the workflow is supposed to enforce, then breaks that assumption on purpose. For Indian SMBs running e-commerce, fintech, and SaaS billing flows, this class of bug is now where real financial loss concentrates.
Why Automated Scanners Are Structurally Blind To This
A scanner is built to recognise patterns: a <script> tag reflected in a response, a SQL error string after an injected quote, a missing security header. It compares your application's responses against a library of known-bad signatures. That works well for OWASP Top 10 categories like injection and misconfiguration, where the flaw is visible in a single request-response pair.
Business logic flaws don't work that way. The request quantity=-3 is not malformed — it's a perfectly valid integer, and the scanner has no idea that your inventory system will interpret a negative quantity as a credit rather than a rejection. The scanner cannot know that your coupon endpoint should reject a second redemption of the same code, because "should" is a business rule that lives in your product specification, not in the HTTP protocol. This is precisely why OWASP separated API Security into its own Top 10 in 2023, with Broken Object Level Authorization (BOLA) ranked as the single most common API weakness — a category that is, by definition, a logic and authorization design failure rather than a payload injection (OWASP API Security Top 10, 2023).
The Flaw Families Scanners Consistently Miss
Negative Quantity and Integer Abuse
Cart and inventory systems built to trust the client for quantity math are a recurring pattern in Indian D2C and marketplace apps. If the backend computes total = price * quantity without a server-side floor check, a request with quantity=-1 can turn a purchase into a credit, or a bulk-order discount tier into a negative-cost line item that inflates a wallet balance. The same bug class shows up in loyalty-points redemption, where a negative "points to redeem" value increases the balance instead of decreasing it.
Coupon and Discount Stacking
A single-use coupon is only single-use if the redemption is checked and marked atomically. Common failure patterns include: applying the same code across multiple concurrent tabs or API calls before the "already used" flag commits; chaining a percentage coupon with a flat-value coupon the UI never intended to combine; or replaying a cached checkout request after a coupon has technically expired server-side but the session token was issued before expiry. None of these produce an error a scanner would recognise — the checkout completes successfully every time.
TOCTOU Double-Spend in Wallets and Refunds
This is the highest-value flaw family for fintech and wallet-enabled apps. Time-of-check to time-of-use (TOCTOU) race conditions occur when a system reads a balance, evaluates whether a debit or refund is permitted, and only later writes the updated balance — leaving a window where a second concurrent request can pass the same check before the first write commits. Fire two refund or withdrawal requests at the same endpoint within milliseconds of each other, and many naive implementations will approve both, because both read the "before" balance.
The unguarded path on the left is what most wallet and refund incidents look like in post-mortem: two valid, individually-authorised requests that should never have been allowed to both succeed. The fix is not a WAF rule — it's a database-level row lock or serializable transaction, combined with an idempotency key that rejects the second write outright, shown on the right.
SELECT ... FOR UPDATE equivalent, or an idempotency key on the write, assume it is exploitable by concurrent requests today — this requires no special tooling, just two browser tabs or a simple script firing requests in parallel.IDOR-Adjacent Workflow Abuse
Classic IDOR is "change the ID in the URL and see someone else's record." The workflow-abuse variant is subtler: it's calling a legitimate endpoint out of its intended sequence. Examples seen repeatedly in Indian SaaS and e-commerce audits: hitting an order-confirmation endpoint directly, skipping the payment-capture step because the backend trusts the client to have called it first; re-opening a "submitted" KYC form by replaying an earlier draft-save request; or calling an admin-approval webhook with a valid but stale token because the state machine never re-validates the object's current status before acting. The object ID is correct and belongs to the right user — the flaw is that the backend never checks what stage the workflow should be in before executing the action.
Why These Survive Code Review Too
Business logic flaws aren't just invisible to scanners — they're frequently invisible to code review as well, because the code executes exactly as written. The bug is in the design, not the implementation. This is why OWASP added Insecure Design as its own Top 10 category in 2021: "a missing or ineffective control design" is a distinct root cause from a broken control that was implemented incorrectly (OWASP Top 10:2021, A04). A developer reviewing the coupon-redemption function will see that it checks if coupon.used == false — that line is correct. What's missing is the transaction boundary that makes the check-then-set atomic against a concurrent request. No linter flags that. No unit test written against a single-threaded test harness catches it either, because the bug only exists when two requests interleave.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Actually Test for These Bugs
Finding business logic flaws requires abuse-case testing against your own workflow specification, not a generic payload library. The table below contrasts what a scanner covers against what needs a human tester or a purpose-built concurrency test.
| Test type | Detects negative quantity | Detects coupon stacking | Detects TOCTOU double-spend | Detects workflow-order abuse |
|---|---|---|---|---|
| Automated DAST/scanner | No | No | No | Rarely |
| Static code analysis (SAST) | Partial | No | No | No |
| Manual functional QA | Partial | Partial | No | Partial |
| Concurrency/race-condition testing (parallel request tooling) | No | Yes | Yes | No |
| Manual abuse-case penetration test | Yes | Yes | Yes | Yes |
The chart above is illustrative, not a measured statistic — but it captures a pattern seen consistently across audits: the largest slice of exploitable risk in a mature application is often the part no scanner touches at all.
Building a Business-Logic-Aware Testing Program
A scanner-only security program will pass compliance checklists while leaving this entire flaw class open. A workable program adds three things on top of automated scanning: first, a per-workflow threat model that lists every state transition (cart to order to payment to confirmation to refund) and asks "what happens if this step is called out of order, twice, or with an inverted value"; second, scripted concurrency tests against every endpoint that reads-then-writes a balance, quota, or single-use token; third, a recurring manual penetration test — not a one-time exercise — because new features reopen new logic gaps every release cycle. This is also the layer where DPDP Act 2023 accountability bites hardest: financial and workflow-abuse incidents typically involve exactly the kind of unauthorised data and monetary exposure the Act's "reasonable security safeguards" obligation was written to prevent (Digital Personal Data Protection Act 2023, MeitY).
Bachao.AI runs automated VAPT scanning alongside structured manual abuse-case testing so that negative-quantity, coupon-stacking, and TOCTOU-class findings surface before an attacker finds them — delivered with a CERT-In empanelled partner for engagements that require empanelled sign-off. Dhisattva AI Pvt Ltd built the platform specifically because scanner-only coverage was leaving this exact flaw class unaddressed across Indian SMB stacks. You can review sample findings from a free VAPT scan, read more testing methodology on the blog, or check how these findings map to Indian data-protection obligations at DPDP compliance.