Business Logic Bugs — Payment Tampering & Workflow Exploitation

What are business logic bugs?

Business logic bugs happen when the code does exactly what it was told to do -- but what it was told to do is wrong. The checkout trusts a price from the client. The webhook doesn't verify the signature. The feature gate lives in the UI but not on the server. Nothing crashes. No error gets thrown. The app just quietly does something it shouldn't.

These aren't the kind of bugs that show up in a dependency scan or a static analysis report. There's no CVE for "your checkout lets users set their own price." You need to actually understand the intended workflow, then test what happens when someone deviates from it. That's what makes them dangerous -- and why most scanners miss them entirely.

What it looks like in code

Here's a checkout endpoint generated by a typical AI coding tool. It takes the product ID, price, and quantity from the request body and charges the customer. Looks clean. Works in demo. Ships to production.

Vulnerable: price comes from the client

// POST /api/checkout
app.post('/api/checkout', async (req, res) => {
  const { productId, price, quantity } = req.body;

  // The price comes straight from the client
  const total = price * quantity;

  const charge = await stripe.charges.create({
    amount: total,
    currency: 'usd',
    source: req.body.token,
  });

  await db.orders.create({ productId, total, chargeId: charge.id });
  res.json({ success: true });
});

The problem: price comes straight from req.body. An attacker opens DevTools, changes the price to 1, and buys your $500 product for a penny.

Fixed: price looked up server-side from the database

// POST /api/checkout
app.post('/api/checkout', async (req, res) => {
  const { productId, quantity } = req.body;

  // Look up the real price from the database
  const product = await db.products.findById(productId);
  if (!product) return res.status(404).json({ error: 'Product not found' });

  const total = product.price * quantity;

  const charge = await stripe.charges.create({
    amount: total,
    currency: 'usd',
    source: req.body.token,
  });

  await db.orders.create({ productId, total, chargeId: charge.id });
  res.json({ success: true });
});

Why AI tools generate this

AI coding tools are trained on patterns, not on your business rules. They don't know what your checkout is supposed to enforce.

They optimize for working code, not correct code. If you say "build a checkout," the AI generates code that processes a payment. Whether the price is validated server-side is a business rule the model doesn't think to enforce.
Training data is full of tutorials, not production apps. Tutorials skip webhook verification, ignore multi-step validation, and pass prices from forms. The AI learned from those shortcuts.
Business logic is context the model doesn't have. The AI doesn't know that free-tier users shouldn't access the export endpoint, or that step 3 requires step 2. Those are your rules, and the model can't infer them.

Common patterns

Price tampering in checkout

The client sends a price field with the order. The server trusts it. An attacker changes $99 to $0.01 and the payment goes through.

Unverified Stripe webhooks

The webhook endpoint processes events without checking the Stripe signature. Anyone can POST a fake payment_intent.succeeded and unlock paid features.

Feature flag bypass

Premium features are gated in the UI but not on the server. Call the API directly and the server hands back pro-tier data to a free account.

State manipulation in multi-step flows

A checkout or onboarding wizard stores progress client-side. Skip to the final step, submit the form, and the server accepts it without validating prior steps.

How Flowpatrol detects it

Most scanners check for known CVEs and bad headers. Flowpatrol goes further -- it actually uses your app the way an attacker would.

1Maps your workflows. Flowpatrol crawls your app like a real user -- signing up, adding items, checking out -- to understand how your flows are supposed to work.
2Tampers with state. It replays requests with modified prices, skipped steps, and forged payloads to see if the server actually validates what it should.
3Tests trust boundaries. Every webhook endpoint, every client-supplied value, every feature gate gets tested to see if the server blindly trusts what it receives.
4Reports what matters. You get a clear finding with the exact request, the tampered value, and what the server did wrong -- plus how to fix it.

Check your app for logic bugs.

Paste your URL. Flowpatrol tests your checkout flows, webhook endpoints, and feature gates -- the stuff checklist scanners skip.

Try it free

What are business logic bugs?

What it looks like in code

Vulnerable: price comes from the client

// POST /api/checkout
app.post('/api/checkout', async (req, res) => {
  const { productId, price, quantity } = req.body;

  // The price comes straight from the client
  const total = price * quantity;

  const charge = await stripe.charges.create({
    amount: total,
    currency: 'usd',
    source: req.body.token,
  });

  await db.orders.create({ productId, total, chargeId: charge.id });
  res.json({ success: true });
});

The problem: price comes straight from req.body. An attacker opens DevTools, changes the price to 1, and buys your $500 product for a penny.

Fixed: price looked up server-side from the database

// POST /api/checkout
app.post('/api/checkout', async (req, res) => {
  const { productId, quantity } = req.body;

  // Look up the real price from the database
  const product = await db.products.findById(productId);
  if (!product) return res.status(404).json({ error: 'Product not found' });

  const total = product.price * quantity;

  const charge = await stripe.charges.create({
    amount: total,
    currency: 'usd',
    source: req.body.token,
  });

  await db.orders.create({ productId, total, chargeId: charge.id });
  res.json({ success: true });
});

Why AI tools generate this

AI coding tools are trained on patterns, not on your business rules. They don't know what your checkout is supposed to enforce.

They optimize for working code, not correct code. If you say "build a checkout," the AI generates code that processes a payment. Whether the price is validated server-side is a business rule the model doesn't think to enforce.
Training data is full of tutorials, not production apps. Tutorials skip webhook verification, ignore multi-step validation, and pass prices from forms. The AI learned from those shortcuts.
Business logic is context the model doesn't have. The AI doesn't know that free-tier users shouldn't access the export endpoint, or that step 3 requires step 2. Those are your rules, and the model can't infer them.

Common patterns

Price tampering in checkout

The client sends a price field with the order. The server trusts it. An attacker changes $99 to $0.01 and the payment goes through.

Unverified Stripe webhooks

The webhook endpoint processes events without checking the Stripe signature. Anyone can POST a fake payment_intent.succeeded and unlock paid features.

Feature flag bypass

Premium features are gated in the UI but not on the server. Call the API directly and the server hands back pro-tier data to a free account.

State manipulation in multi-step flows

A checkout or onboarding wizard stores progress client-side. Skip to the final step, submit the form, and the server accepts it without validating prior steps.

How Flowpatrol detects it

Most scanners check for known CVEs and bad headers. Flowpatrol goes further -- it actually uses your app the way an attacker would.

1Maps your workflows. Flowpatrol crawls your app like a real user -- signing up, adding items, checking out -- to understand how your flows are supposed to work.
2Tampers with state. It replays requests with modified prices, skipped steps, and forged payloads to see if the server actually validates what it should.
3Tests trust boundaries. Every webhook endpoint, every client-supplied value, every feature gate gets tested to see if the server blindly trusts what it receives.
4Reports what matters. You get a clear finding with the exact request, the tampered value, and what the server did wrong -- plus how to fix it.

Business Logic Bugs Payment Tampering & Workflow Exploitation

What are business logic bugs?

What it looks like in code

Why AI tools generate this

Common patterns

Price tampering in checkout

Unverified Stripe webhooks

Feature flag bypass

State manipulation in multi-step flows

How Flowpatrol detects it

Check your app for logic bugs.

Business Logic Bugs Payment Tampering & Workflow Exploitation

What are business logic bugs?

What it looks like in code

Why AI tools generate this

Common patterns

Price tampering in checkout

Unverified Stripe webhooks

Feature flag bypass

State manipulation in multi-step flows

How Flowpatrol detects it

Check your app for logic bugs.