Post cover image

June 2, 2026

Exploiting Insufficient Workflow Validation — PortSwigger Business Logic Vulnerability Lab #8

Introduction

Thewatchdog13

3 min read

Introduction

As part of my journey through PortSwigger's Web Security Academy, I recently completed the lab "Insufficient Workflow Validation."

Unlike traditional vulnerabilities that stem from coding errors, this lab focuses on flaws in the application's business process. The vulnerability arises because the application fails to verify whether critical workflow steps have been completed before allowing sensitive actions to occur.

In this write-up, I'll explain how I identified the flaw, analyzed the application's workflow, and successfully exploited it.

What is Workflow Validation?

Many web applications require users to complete actions in a specific sequence.

For example:

  1. Add items to a cart
  2. Review the order
  3. Confirm payment
  4. Complete the purchase

Developers often assume users will follow this sequence exactly as intended.

However, if the server fails to validate that previous steps were completed, attackers may be able to skip important checks and directly access sensitive functionality.

This weakness is known as Insufficient Workflow Validation.

Understanding the Application

After logging into the application, I explored the available functionality and observed the purchasing workflow.

The process appeared straightforward:

  1. Select products
  2. Proceed through checkout
  3. Confirm the purchase

The challenge hinted that there was a weakness in how the application validated the workflow.

My goal was to determine whether the server enforced each stage or simply trusted that users would follow the intended process.

Step 1: Map the Workflow

The first step was understanding every request involved in the checkout process.

Using Burp Suite, I intercepted requests while completing a normal purchase.

None None

This allowed me to identify:

  • The sequence of endpoints
  • Parameters submitted during each stage
  • The final request responsible for completing the purchase

Documenting the workflow is essential because business logic flaws often become visible only when the entire process is understood.

Step 2: Identify Critical Actions

After observing multiple requests, I focused on the final action that completed the purchase.

This request represented the most sensitive part of the workflow because it performed the actual transaction.

I wanted to determine whether the server independently verified that all previous steps had been completed before processing this request.

Step 3: Test Workflow Enforcement

Next, I sent requests to Burp Repeater and began testing different scenarios.

Questions I wanted answered included:

  • Can I access later stages directly?
  • Can I skip intermediate steps?
  • Does the server verify previous actions?
  • Are session states properly enforced?

To answer these questions, I replayed requests while modifying the normal sequence.

Step 4: Bypass the Intended Process

During testing, I discovered that the application trusted the user's progression through the workflow rather than validating it on the server side.

None

Instead of completing every required stage, it was possible to directly invoke the final action.

None

The server processed the request without confirming that the earlier workflow requirements had been satisfied.

None

This demonstrated a classic workflow validation flaw.

Step 5: Complete the Exploit

After identifying the vulnerable step, I repeated the attack using the required target conditions specified by the lab.

The application accepted the manipulated workflow and processed the transaction successfully.

None

Because the server failed to verify workflow integrity, the attack achieved the intended objective and completed the lab.

Root Cause Analysis

The vulnerability exists because the application assumes users will follow the intended process.

Rather than verifying workflow state on the server, the application relies on client-side navigation and user behavior.

Common causes include:

  • Missing server-side workflow checks
  • Trusting client-side controls
  • Failure to validate process state
  • Insecure assumptions about user behavior
  • Lack of authorization checks between workflow stages

Security Impact

Insufficient workflow validation can lead to serious consequences, including:

  • Unauthorized purchases
  • Discount abuse
  • Payment bypasses
  • Account takeover scenarios
  • Unauthorized access to restricted functionality
  • Business process manipulation

In real-world applications, these flaws can result in significant financial losses.

Lessons Learned

For Security Testers

  • Always map complete workflows.
  • Identify critical actions within the process.
  • Attempt to access endpoints out of sequence.
  • Replay requests individually using Burp Repeater.
  • Test whether server-side validation exists for every stage.

For Developers

  • Never assume users will follow the intended workflow.
  • Validate workflow state on the server.
  • Enforce prerequisite checks before sensitive actions.
  • Treat client-side controls as untrusted.
  • Verify permissions and process state at every step.

Conclusion

The "Insufficient Workflow Validation" lab demonstrates how dangerous business logic vulnerabilities can be even when no traditional security bug exists.

The application's failure to enforce workflow integrity allowed sensitive actions to be performed without completing required steps.

This lab reinforced an important lesson:

If the server does not verify the workflow, attackers will create their own.