Business Logic & Privilege Escalation

Logic bugs require understanding how the app should work, then breaking that assumption.

• Understand the intended workflow first
• Ask: what is the developer assuming the user will always do?
• Break those assumptions
• New features interacting with old features = especially buggy

• Sign up with example@target.com – may grant special privileges
• Change client-side values: price, quantity, premium_bought=0 to 1
• Use sandbox/test credit card numbers on payment flows
• Negative quantities in shopping carts
• Skip steps in multi-step workflows (register step 2 without step 1)
• Reuse single-use tokens (password reset, email verification)
• Rate-limit bypass by modifying headers: X-Forwarded-For, X-Real-IP

• Can you access paid features without paying?
• Is payment info in the HTML DOM? Chain XSS to leak it
• Different country payment options – sandbox card numbers not blocked?
• Modify price in request body – “price”: 0.01 instead of real price
• Currency manipulation, decimal truncation bugs

• Submit the same coupon code twice simultaneously
• Transfer more money than your balance by racing requests
• Win contests or limited offers by parallel submissions
• Use Burp Repeater “Send group in parallel” for race condition testing

• Check for dangling NS delegations, CNAME records pointing to unclaimed services
• dig subdomain.target.com – look for NXDOMAIN, SERVFAIL, REFUSED
• Common targets: AWS S3, Route53, GitHub Pages, Heroku, Azure, Shopify
• Tools: subjack, can-i-take-over-xyz (GitHub), nuclei templates

• IDOR Testing
• Auth & Session Bugs
• Bug Chaining
• Methodology Index