This project documents a critical business logic vulnerability discovered in a web application lab environment. The flaw allows an attacker to manipulate cart data, user balance, and product pricing by tampering with client-controlled parameters.
The vulnerability was identified during testing using an intercepting proxy tool.
-
Type: Business Logic Flaw / Client-Side Trust Issue
-
Severity: Critical
-
Attack Vector: Parameter Tampering via Intercepted HTTP Requests
-
Affected Components:
- Cart API
- Purchase API
- Client-side validation logic
POST /api/cart/add
GET /api/cart
POST /api/purchase
The application incorrectly trusts data provided by the client for sensitive operations such as:
- User balance validation
- Product pricing
- Cart item quantities
- Purchase calculations
Instead of enforcing validation on the server, the application relies on client-side logic, which can be bypassed using request interception.
This allows full manipulation of purchase logic, including pricing and balance values.
- Burp Suite
- Browser Developer Tools
- Manual HTTP request modification
POST /api/cart/add
Content-Type: application/json
{
"itemId": 1,
"quantity": 1
}GET /api/cart
{
"userBalance": 9999999999
}Result: Server accepted manipulated balance value.
POST /api/purchase
Content-Type: application/json
{
"cartItems": [
{
"item_id": 1,
"quantity": 1,
"price": 1000
}
]
}Result: Server returned 200 OK and processed purchase successfully despite modified pricing and balance values.
This vulnerability allows an attacker to:
- Purchase items at reduced or zero cost
- Manipulate product pricing during checkout
- Modify user balance arbitrarily
- Bypass client-side purchase restrictions
- Corrupt transaction integrity
The issue is caused by:
-
Trusting client-side data for financial calculations
-
Lack of server-side validation for:
- price
- balance
- quantity
-
Absence of authoritative backend recalculation
Never accept price from client:
price = db.get_product_price(item_id)balance = db.get_user_balance(user_id)total = sum(price * quantity for item in cart)Reject:
- negative quantities
- null values
- excessively large numbers
Never trust:
priceuserBalance- computed totals from request body
- Client-side validation is not security
- All financial logic must be server-side
- Request interception reveals trust boundaries
- APIs must never accept authoritative values from clients
This vulnerability demonstrates a critical breakdown in trust boundaries between client and server. By relying on client-controlled data for financial operations, the system becomes fully exploitable via simple request manipulation.
Written by Possible (@SIEM Latency)) — The Cyber Lab Journal