High Severity
🟠 Business Logic Flaw: Price/Inventory Manipulation
🧠 Description
Application trusts client-side price/inventory values without server-side validation. Attackers can manipulate these to purchase items at wrong prices or manipulate quantities.
Impact: Financial Loss, Fraud, Inventory Abuse
🎯 Attack Surface
- Shopping cart parameters
- Price fields in API calls
- Coupon code parameters
- Currency conversion
- Quantity limits
🔍 Detection Payloads
price=-100
price=0.01
quantity=-1
discount=100
amount=0
🛡️ Mitigation
✅ Validate ALL prices server-side
✅ Store prices in database, don't trust client
✅ Implement business logic checks
✅ Log all price modifications
✅ Store prices in database, don't trust client
✅ Implement business logic checks
✅ Log all price modifications