By Hackersatty

This article is written in a practical research style based on real-world testing mindset and workflow analysis, focusing more on how the issue was identified from an attacker's perspective rather than only theoretical concepts.

Most security testing today focuses on payloads.

People spend hours testing:

  • SQL Injection
  • XSS
  • SSRF
  • File Uploads
  • RCE
  • WAF bypasses

But sometimes the real vulnerabilities are sitting quietly inside normal application workflows.

This finding came from exactly that type of situation.

No complex payloads. No fuzzing. No brute force. No automation.

Just understanding how the application trusted its own backend logic.

The Initial Observation

During testing, the application looked completely normal.

Different users had different dashboards. Restricted functionality was hidden properly. Administrative workflows were not visible to lower privileged users.

Everything looked correctly implemented from the frontend side.

But while monitoring requests through the proxy, I noticed something interesting.

Different user roles were sending almost identical API requests.

Only a few values were changing internally.

That immediately became suspicious.

Because in many real-world cases:

When multiple privilege levels use nearly identical requests, weak authorization logic usually exists somewhere in the backend.

So instead of focusing on the visible application, I started focusing on:

  • Request behavior
  • Workflow transitions
  • API patterns
  • Hidden functionality
  • Parameter trust
  • Backend response differences

And that is where things became interesting.

The Backend Trusted Requests Too Much

While replaying requests manually, I noticed that the backend accepted requests even when the functionality itself was completely hidden from the frontend.

For example, the application expected requests similar to this:

POST /api/v1/workflow/job/create
Host: example-testing-site[.]com
Authorization: Bearer USER_TOKEN
Content-Type: application/json
{
   "jobType":"internal",
   "action":"create",
   "priority":"normal"
}

At first glance, nothing looked vulnerable.

But after modifying workflow-related values and replaying the request manually, the backend processed actions that should only be available to higher privileged accounts.

That was the first major red flag.

The frontend blocked access completely.

The backend did not.

None

The Interesting Part

What made this finding interesting was not the request itself.

It was the application's trust assumption.

The developers assumed:

  • If the frontend hides the feature
  • Then users will never access it
  • Therefore additional backend validation is unnecessary

That assumption became the vulnerability.

And this is something I see very often in modern applications.

A lot of systems depend heavily on:

  • Hidden buttons
  • Disabled features
  • Restricted menus
  • UI-level controls

But attackers do not interact with applications the same way normal users do.

If an API endpoint exists, it becomes part of the attack surface.

Going Deeper Into the Workflow

After identifying the initial behavior, I started comparing how the application handled requests between different user roles.

One thing became very clear:

  • The backend validated authentication properly
  • But authorization validation was inconsistent

That difference matters a lot.

Because authentication only proves:

"Who are you?"

Authorization decides:

"What are you allowed to do?"

And in this case, the backend trusted authenticated requests more than it should have.

Finding Hidden Functionality

Once I understood the workflow behavior, I started exploring hidden actions manually.

Instead of depending on the frontend, I focused directly on backend endpoints.

Some endpoints returned:

  • Different status codes
  • Different response sizes
  • Different validation errors
  • Different workflow states

Those small inconsistencies revealed internal functionality that normal users were never supposed to interact with.

One request in particular exposed an internal action handler.

After replaying it with modified values, the backend executed the request successfully.

That confirmed the issue.

Why This Type of Bug Gets Missed

Most automated scanners would completely miss this vulnerability.

Because technically:

  • The application authenticated users correctly
  • No payload injection existed
  • No obvious error appeared
  • No crash happened
  • The traffic looked legitimate

The issue only became visible after understanding:

  • Workflow logic
  • Request relationships
  • Backend trust behavior
  • Authorization assumptions

This is why business logic vulnerabilities are becoming increasingly dangerous.

They often look like normal application behavior.

The Small Detail That Changed Everything

One of the biggest indicators during testing was the similarity between requests generated by different privilege levels.

For example:

"role":"viewer"

and

"role":"manager"

generated almost identical backend processing behavior.

That usually indicates the backend is trusting request structure more than actual privilege validation.

Once that pattern appeared, the attack surface became much larger.

The Workflow Problem

The application expected users to follow a sequence like:

Create Request → Review → Approval → Execution

But after replaying requests manually, it became clear that some workflow transitions were never validated properly on the backend.

The application assumed users would always follow the frontend flow.

That assumption failed immediately during manual testing.

The Real Lesson From This Finding

This vulnerability was a strong reminder that:

Good security testing is not always about advanced exploitation.

Sometimes the best findings come from:

  • Observing behavior carefully
  • Understanding workflows
  • Comparing requests
  • Looking for trust assumptions
  • Thinking differently from normal users

Most people test what they can see.

But some of the best vulnerabilities exist in areas the frontend tries to hide completely.

And once backend trust breaks, hidden functionality quickly becomes exposed.

Final Thoughts

Modern applications are becoming harder to exploit through traditional vulnerabilities alone.

But business logic issues continue appearing everywhere because they depend on assumptions instead of strict validation.

This finding existed because the application trusted:

  • Internal workflows
  • Frontend restrictions
  • Expected user behavior

More than actual backend authorization controls.

And that single mistake quietly created a serious security issue.

— Hackersatty