====== Business Logic & Privilege Escalation ======

Logic bugs require understanding how the app should work, then breaking that assumption.

===== Mindset =====

  * Understand the intended workflow first
  * Ask: what is the developer assuming the user will always do?
  * Break those assumptions
  * New features interacting with old features = especially buggy

===== Common Logic Flaws =====

  * Sign up with ''example@target.com'' -- may grant special privileges
  * Change client-side values: price, quantity, ''premium_bought=0'' to ''1''
  * Use sandbox/test credit card numbers on payment flows
  * Negative quantities in shopping carts
  * Skip steps in multi-step workflows (register step 2 without step 1)
  * Reuse single-use tokens (password reset, email verification)
  * Rate-limit bypass by modifying headers: ''X-Forwarded-For'', ''X-Real-IP''

===== Payment Logic =====

  * Can you access paid features without paying?
  * Is payment info in the HTML DOM? Chain XSS to leak it
  * Different country payment options -- sandbox card numbers not blocked?
  * Modify price in request body -- ''"price": 0.01'' instead of real price
  * Currency manipulation, decimal truncation bugs

===== Race Conditions =====

  * Submit the same coupon code twice simultaneously
  * Transfer more money than your balance by racing requests
  * Win contests or limited offers by parallel submissions
  * Use Burp Repeater "Send group in parallel" for race condition testing

===== DNS & Subdomain Takeover =====

  * Check for dangling NS delegations, CNAME records pointing to unclaimed services
  * ''dig subdomain.target.com'' -- look for NXDOMAIN, SERVFAIL, REFUSED
  * Common targets: AWS S3, Route53, GitHub Pages, Heroku, Azure, Shopify
  * Tools: ''subjack'', can-i-take-over-xyz (GitHub), nuclei templates

===== See Also =====

  * [[zseano:idor|IDOR Testing]]
  * [[zseano:auth_session|Auth & Session Bugs]]
  * [[zseano:escalation|Bug Chaining]]
  * [[zseano:start|Methodology Index]]