BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Burp Suite: Web Application Testing/Testing for Business Logic Flaws
45 minAdvanced

Testing for Business Logic Flaws

After this lesson, you will be able to: Find business-logic vulnerabilities that automated scanners miss: price/quantity manipulation, workflow bypass, and trust-boundary violations, using Repeater and Intruder methodically.

Business-logic flaws are bugs in the application's intended workflow that let you do unintended things. Scanners cannot find them because they do not understand the business rules. This lesson teaches how to think about and find them.

Prerequisites:Burp Extensions and the BApp Store

💡 Authorization first

Only perform these techniques in authorized lab environments. Never test systems you do not own or have explicit written permission to test. Every lab in this subtrack uses the PortSwigger Web Security Academy, which is built specifically for legal Burp Suite practice.

What business-logic vulnerabilities are

These are flaws in how the application's intended workflow can be abused: not a missing filter, but a wrong assumption about how users will behave. A scanner sees valid requests and valid responses and finds nothing, because the requests are technically well-formed. Only a human who understands what the app is supposed to do can spot that a particular sequence or value breaks the intended rules.

Common patterns

Price manipulation: change a cart item's price in the request and see if the server trusts it. Quantity manipulation: negative quantities (refunding yourself), or values that cause integer overflow. Workflow bypass: skip a step in checkout or registration (jump straight to the confirmation endpoint). Trust-boundary violations: access functionality intended for a different role by calling its endpoint directly. The theme is the server trusting client-supplied state it should recompute or check.

How to find them

First, understand the intended functionality completely (use the app as a normal user). Then ask: what happens if I do this out of order, with this unexpected value, or as this user type? Methodically explore every numeric and boolean parameter for manipulation in Repeater, and use Intruder to sweep a range (every quantity from -10 to 1000). The mindset, not a tool, finds these bugs.

Lab: the business-logic series

Use PortSwigger's Business Logic labs.

  1. 1

    1. Complete the PortSwigger Business Logic labs series (11 labs, apprentice to expert).

  2. 2

    2. For each, first map the intended workflow, then identify the assumption the developer made.

  3. 3

    3. Break that assumption in Repeater (a wrong value, a skipped step, an unexpected role).

  4. 4

    4. For each finding, write the business impact in plain terms (e.g. 'a customer can buy any item for $0').

Quick Check

Why can't an automated scanner reliably find business-logic flaws?

Pick the best reason.

Common mistakes only experienced testers catch

Skipping the 'understand the intended workflow' step and flailing. Testing only the happy path. Forgetting negative numbers, zero, and huge values. Assuming the server re-checks client-supplied prices/totals (it often does not). Not framing the finding in business-impact terms, which is what gets it taken seriously. Expecting a tool to find these instead of thinking like an abuser of the workflow.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Burp Extensions and the BApp Store
Back to Burp Suite: Web Application Testing
Advanced Web Vulnerabilities→