business-logic-vulnerabilities
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Business Logic Vulnerabilities — Expert Attack Playbook
技能:业务逻辑漏洞 — 专家攻击手册
AI LOAD INSTRUCTION: Business logic flaws are scanner-invisible and high-reward on bug bounty. This skill covers race conditions, price manipulation, workflow bypass, coupon/referral abuse, negative values, and state machine attacks. These require human reasoning, not automation. For specific exploitation techniques (payment precision/overflow, captcha bypass, password reset flaws, user enumeration), load the companion SCENARIOS.md.
AI加载说明:业务逻辑漏洞无法被扫描器检测,在漏洞赏金项目中收益极高。本技能覆盖竞态条件、价格操纵、工作流绕过、优惠券/推荐返利滥用、负值攻击、状态机攻击,这类漏洞需要人工推理分析,无法自动化识别。如需了解特定利用技巧(支付精度/溢出、验证码绕过、密码重置漏洞、用户信息枚举),请加载配套的SCENARIOS.md。
Extended Scenarios
扩展场景
Also load SCENARIOS.md when you need:
- Payment precision & integer overflow attacks — 32-bit overflow to negative, decimal rounding exploitation, negative shipping fees
- Payment parameter tampering checklist — price, discount, currency, gateway, return_url fields
- Condition race practical patterns — parallel coupon application, gift card double-spend with Burp group send
- Captcha bypass techniques — drop verification request, remove parameter, clear cookies to reset counter, OCR with tesseract
- Arbitrary password reset — predictable tokens (), session replacement attack, registration overwrite
md5(username) - User information enumeration — login error message difference, masked data reconstruction across endpoints, base64 uid cookie manipulation
- Frontend restriction bypass — array parameters for multiple coupons (/
couponid[0]), removecouponid[1]/disabledattributesreadonly - Application-layer DoS patterns — regex backtracking, WebSocket abuse
当你需要以下内容时也请加载SCENARIOS.md:
- 支付精度与整数溢出攻击 — 32位溢出变负值、小数四舍五入利用、负运费攻击
- 支付参数篡改检查清单 — 价格、折扣、货币、网关、return_url字段
- 竞态条件实用利用模式 — 并行提交优惠券、使用Burp分组发送功能实现礼品卡双花
- 验证码绕过技巧 — 丢弃验证请求、删除验证参数、清除Cookie重置计数、使用tesseract做OCR识别
- 任意密码重置 — 可预测令牌()、会话替换攻击、注册信息覆盖
md5(username) - 用户信息枚举 — 登录错误信息差异、跨接口掩码数据重构、base64格式uid Cookie篡改
- 前端限制绕过 — 数组参数提交多张优惠券(/
couponid[0])、删除couponid[1]/disabled属性readonly - 应用层DoS模式 — 正则回溯、WebSocket滥用
1. PRICE AND VALUE MANIPULATION
1. 价格与数值操纵
Negative Quantity / Price
负数量/负价格
Many applications validate "amount > 0" but not for currency:
Add to cart with quantity: -1
Update quantity to: -100
{
"quantity": -5,
"price": -99.99 ← may be accepted
}Impact: Receive credit to account, items for free, bank transfers in reverse.
很多应用仅校验"金额>0"但未对货币相关字段做全面校验:
Add to cart with quantity: -1
Update quantity to: -100
{
"quantity": -5,
"price": -99.99 ← 可能被服务端接受
}影响:账户获得返现、免费获取商品、反向转账获利。
Integer Overflow
整数溢出
quantity: 2147483648 ← INT_MAX + 1 overflows to negative in 32-bit
price: 9999999999999 ← exceeds float precision → rounds to 0quantity: 2147483648 ← 32位系统中INT_MAX+1溢出为负数
price: 9999999999999 ← 超出浮点数精度 → 四舍五入为0Rounding Manipulation
四舍五入操纵
Item price: $0.001
Order 1000 items → each rounds down → total = $0.00Item price: $0.001
Order 1000 items → 每个商品金额向下取整 → 总金额 = $0.00Currency Exchange Rate Lag
汇率差利用
1. Deposit using currency A at rate X
2. Rate changes
3. Withdraw using currency A at new rate → profit from rate difference1. 按汇率X存入A货币
2. 汇率发生变动
3. 按新汇率提取A货币 → 从汇率差中获利Free Upgrade via Promo Stacking
优惠叠加实现免费升级
Test combining discount codes, referral credits, welcome bonuses:
Apply promo: FREE50 → 50% off
Apply promo: REFER10 → additional 10%
Apply loyalty points → additional discount
Total: -$5 (free + credit)测试组合使用折扣码、推荐返利、新人福利:
Apply promo: FREE50 → 50% off
Apply promo: REFER10 → additional 10%
Apply loyalty points → additional discount
Total: -$5 (免费+账户返现)2. RACE CONDITIONS
2. 竞态条件
Concept: Two operations run simultaneously before the first completes its check-update cycle.
概念:两个操作同时运行,先于第一个操作完成「检查-更新」周期前执行。
Double-Spend / Double-Redeem
双花/重复兑换
bash
undefinedbash
undefinedSend same request simultaneously (~millisecond apart):
同时发送相同请求(间隔约几毫秒):
Use Burp Repeater "Send to Group" or Race Conditions tool:
使用Burp Repeater的「发送到分组」功能或专用竞态条件工具:
POST /api/use-coupon ← send 20 parallel requests
POST /api/redeem-gift ← same coupon code, parallel
POST /api/withdraw-funds ← same balance, parallel
POST /api/use-coupon ← 并行发送20次请求
POST /api/redeem-gift ← 相同优惠券码并行提交
POST /api/withdraw-funds ← 相同余额并行提交提现请求
If check and update are non-atomic:
如果检查和更新操作非原子性:
Thread 1: check(balance >= 100) → TRUE
线程1: check(balance >= 100) → TRUE
Thread 2: check(balance >= 100) → TRUE (before Thread 1 deducted)
线程2: check(balance >= 100) → TRUE(在线程1扣减余额前执行)
Thread 1: balance -= 100
线程1: balance -= 100
Thread 2: balance -= 100 → BOTH succeed → double-spend
线程2: balance -= 100 → 两个请求都成功 → 双花漏洞
undefinedundefinedRace Condition Test with Burp Suite
使用Burp Suite测试竞态条件
1. Capture request
2. Send to Repeater → duplicate 20+ times
3. "Send group in parallel" (Burp 2023+)
4. Check: did any duplicate succeed?1. 捕获请求
2. 发送到Repeater → 复制20次以上
3. 「并行发送分组请求」(Burp 2023+版本支持)
4. 检查是否有重复请求执行成功?Account Registration Race
账号注册竞态
Register with same email simultaneously → two accounts created → data isolation broken
Password reset token race → reuse same token twice
Email verification race → verify multiple email addresses同时使用相同邮箱注册 → 创建两个账号 → 数据隔离被打破
密码重置令牌竞态 → 同一个令牌重复使用两次
邮箱验证竞态 → 验证多个邮箱地址Limit Bypass via Race
竞态实现限制绕过
"Claim once" discounts, freebies, "first order" bonus:
→ Send 10 parallel POST /claim requests
→ Race window: all pass the "already claimed?" check before any write「限领一次」的折扣、免费福利、「首单」奖励:
→ 并行发送10次POST /claim请求
→ 竞态窗口:所有请求在任意一次写入操作完成前都通过了「是否已领取」检查3. WORKFLOW / STEP SKIP BYPASS
3. 工作流/步骤跳过绕过
Payment Flow Bypass
支付流程绕过
Normal flow:
1. Add to cart
2. Enter shipping info
3. Enter payment (card/wallet)
4. Click confirm → payment charged
5. Order confirmed
Attack: Skip to step 5 directly
POST /api/orders/confirm {"cart_id": "1234", "payment_status": "paid"}
→ Does server trust client-sent payment_status?正常流程:
1. 添加到购物车
2. 填写收货信息
3. 填写支付信息(卡/钱包)
4. 点击确认 → 扣款
5. 订单确认
攻击: 直接跳转到第5步
POST /api/orders/confirm {"cart_id": "1234", "payment_status": "paid"}
→ 服务端是否信任客户端提交的payment_status字段?Multi-Step Verification Skip
多步验证跳过
Password reset flow:
1. Enter email
2. Receive token
3. Enter token
4. Set new password (requires valid token from step 3)
Attack: Try going to step 4 without completing step 3:
POST /reset/password {"email": "victim@x.com", "token": "invalid", "new_pass": "hacked"}
→ Does server check that token was properly validated?
Or: Try token from old/expired flow → still accepted?密码重置流程:
1. 输入邮箱
2. 收到令牌
3. 输入令牌
4. 设置新密码(需要第3步的有效令牌)
攻击: 不完成第3步直接访问第4步:
POST /reset/password {"email": "victim@x.com", "token": "invalid", "new_pass": "hacked"}
→ 服务端是否检查令牌已完成有效验证?
或者: 尝试使用旧的/过期流程的令牌 → 是否仍然被接受?2FA Bypass
2FA绕过
Normal flow:
1. Enter username + password → success
2. Enter 2FA code → logged in
Attack: After step 1 success, go directly to /dashboard
→ Is session created before 2FA completes?
→ Does /dashboard require 2FA-complete check or just "authenticated" flag?正常流程:
1. 输入用户名+密码 → 验证通过
2. 输入2FA验证码 → 登录成功
攻击: 第1步验证通过后直接访问/dashboard
→ 会话是否在2FA验证完成前就已创建?
→ /dashboard是否要求2FA验证完成,还是仅检查「已认证」标记?Shipping Without Payment
零元发货
1. Add item to cart
2. Enter shipping address
3. Select payment method (credit card)
4. Apply promo code (100% discount or gift card)
5. Final amount: $0
6. Order placed
Attack: Apply 100% discount code → no actual payment processed → item ships 1. 添加商品到购物车
2. 填写收货地址
3. 选择支付方式(信用卡)
4. 应用优惠码(100%折扣或礼品卡)
5. 最终金额: $0
6. 订单提交成功
攻击: 应用100%折扣码 → 无实际支付发生 → 商品正常发货4. COUPON AND REFERRAL ABUSE
4. 优惠券与推荐返利滥用
Coupon Stacking
优惠券叠加
Test: Can you apply multiple coupon codes?
Test: Does "SAVE20" + promo stack to >100%?
Test: Apply coupon, remove item, keep discount applied, add different item测试: 是否可以应用多个优惠券码?
测试: 「SAVE20」+其他优惠叠加后折扣是否超过100%?
测试: 应用优惠券后删除商品,保留折扣,再添加其他商品Referral Loop
推荐返利循环
1. Create Account_A
2. Register Account_B with Account_A's referral code → both get credit
3. Create Account_C with Account_B's referral code
4. Ad infinitum with throwaway emails
→ Infinite credit generation1. 创建账号A
2. 使用账号A的推荐码注册账号B → 两个账号都获得返利
3. 使用账号B的推荐码创建账号C
4. 用临时邮箱无限循环上述操作
→ 无限生成账户余额Coupon = Fixed Dollar Amount on Variable-Price Item
可变价格商品使用固定面额优惠券
Coupon: -$5 off any order
Buy item worth $3, use -$5 coupon → net -$2 (credit balance)优惠券: 任意订单减$5
购买价值$3的商品,使用$5优惠券 → 最终金额-$2(账户余额增加)5. ACCOUNT / PRIVILEGE LOGIC FLAWS
5. 账号/权限逻辑漏洞
Email Verification Bypass
邮箱验证绕过
1. Register with email A (legitimate, verified)
2. Change email to B (attacker's email, unverified)
3. Use account as verified — does server enforce re-verification?
Or: Change email to victim's email → no verification → account claim1. 使用邮箱A注册(合法、已验证)
2. 将邮箱修改为B(攻击者的邮箱、未验证)
3. 继续作为已验证账号使用 — 服务端是否强制要求重新验证?
或者: 将邮箱修改为受害者的邮箱 → 无需验证 → 账号认领攻击Password Reset Token Binding
密码重置令牌绑定漏洞
1. Request password reset for your account → get token
2. Change your email address (account settings)
3. Reuse old password reset token → does it still work for old email?
Or: Request reset for victim@target.com
Token sent to victim but check: does URL reveal predictable token pattern?1. 为你的账号申请密码重置 → 获得令牌
2. 在账号设置中修改你的邮箱地址
3. 复用旧的密码重置令牌 → 对旧邮箱仍然有效吗?
或者: 为victim@target.com申请重置
令牌发送给受害者,但检查URL是否存在可预测的令牌模式?OAuth Account Linking Abuse
OAuth账号绑定滥用
1. Have victim's email (but not their password)
2. Register with victim's email → get account with same email
3. Link OAuth (Google/GitHub) to your account
4. Victim logs in with Google → server finds email match → merges with YOUR account1. 获取受害者的邮箱(但没有密码)
2. 用受害者的邮箱注册 → 得到相同邮箱的账号
3. 将OAuth(Google/GitHub)绑定到你的账号
4. 受害者用Google登录 → 服务端匹配到相同邮箱 → 合并到你的账号6. API BUSINESS LOGIC FLAWS
6. API业务逻辑漏洞
Object State Manipulation
对象状态操纵
order.status = "pending"
→ PUT /api/orders/1234 {"status": "refunded"} ← self-trigger refund
→ PUT /api/orders/1234 {"status": "shipped"} ← mark as shipped without shippingorder.status = "pending"
→ PUT /api/orders/1234 {"status": "refunded"} ← 自行触发退款
→ PUT /api/orders/1234 {"status": "shipped"} ← 未发货就标记为已发货Transaction Reuse
交易复用
1. Initiate payment → get transaction_id
2. Complete purchase
3. Reuse same transaction_id for second purchase:
POST /api/checkout {"transaction_id": "USED_TX", "cart": "new_cart"}1. 发起支付 → 获得transaction_id
2. 完成购买
3. 复用同一个transaction_id进行第二次购买:
POST /api/checkout {"transaction_id": "USED_TX", "cart": "new_cart"}Limit Count Manipulation
限制计数操纵
Daily transfer limit = $1000
→ Transfer $999, cancel, transfer $999 (limit not updated on cancel)
→ Parallel transfers (race condition on limit check)
→ Different payment types not sharing limit counter每日转账限额 = $1000
→ 转账$999,取消,再转账$999(取消时未更新限额)
→ 并行转账(限额检查存在竞态条件)
→ 不同支付类型未共享限额计数器7. SUBSCRIPTION / TIER CONFUSION
7. 订阅/等级混淆
Free tier: cannot access feature X
Paid tier: can access feature X
Attack:
- Sign up for paid trial → enable feature X → downgrade to free
→ Does feature X get disabled on downgrade?
→ Can you continue using feature X?
Or:
- Inspect premium endpoint list from JS bundle
- Directly call premium endpoints with free account token
→ Server checks subscription for UI but not API?免费版: 无法使用功能X
付费版: 可以使用功能X
攻击:
- 注册付费试用 → 开启功能X → 降级到免费版
→ 降级后功能X是否被禁用?
→ 你还能继续使用功能X吗?
或者:
- 从JS包中提取付费接口列表
- 使用免费账号的令牌直接调用付费接口
→ 服务端仅在UI层检查订阅状态,API层未做校验?8. FILE UPLOAD BUSINESS LOGIC
8. 文件上传业务逻辑
For the full upload attack workflow beyond pure logic flaws, also load:
- upload insecure files
Upload size limit: 10MB
→ Upload 10MB → compress client-side → server decompresses → bomb?
(Zip bomb: 1KB zip → 1GB file = denial of service)
Upload type restriction:
→ Upload .csv for "data import" → inject formulas: =SYSTEM("calc")
(CSV injection in Excel macro context)
→ Upload avatar → server converts → attack converter (ImageMagick, FFmpeg CVEs)
Storage path prediction:
→ /uploads/USER_ID/filename
→ Can you overwrite other user's file by knowing their ID + filename?如需了解纯逻辑漏洞之外的完整上传攻击流程,还可以加载:
- upload insecure files
上传大小限制: 10MB
→ 上传10MB文件 → 客户端压缩 → 服务端解压 → 解压炸弹?
(Zip炸弹: 1KB zip → 解压后1GB文件 = 拒绝服务)
上传类型限制:
→ 上传.csv做「数据导入」 → 注入公式: =SYSTEM("calc")
(Excel宏上下文下的CSV注入)
→ 上传头像 → 服务端转换格式 → 攻击转换工具(ImageMagick、FFmpeg相关CVE)
存储路径预测:
→ /uploads/USER_ID/filename
→ 知道其他用户的ID+文件名时,是否可以覆盖他们的文件?9. TESTING APPROACH
9. 测试方法
For each business process:
1. Map the INTENDED flow (happy path)
2. Ask: "What if I skip step N?"
3. Ask: "What if I send negative/zero/MAX values?"
4. Ask: "What if I repeat this step twice?" (idempotency)
5. Ask: "What happens if I do A then B instead of B then A?"
6. Ask: "What if two users do this simultaneously?"
7. Ask: "Can I modify the 'trusted' status fields?"
8. Think from financial/resource impact angle → highest bounty针对每个业务流程:
- 梳理预期流程(正常路径)
- 问自己:「如果我跳过第N步会怎么样?」
- 问自己:「如果我提交负数/零/最大值会怎么样?」
- 问自己:「如果我重复这个步骤两次会怎么样?」(幂等性)
- 问自己:「我先做A再做B,而不是先做B再做A会怎么样?」
- 问自己:「两个用户同时做这个操作会怎么样?」
- 问自己:「我能不能修改所谓的「受信任」状态字段?」
- 从财务/资源影响角度思考 → 最高赏金的漏洞方向
---10. HIGH-IMPACT CHECKLISTS
10. 高影响检查清单
E-commerce / Payment
电商/支付场景
□ Negative quantity in cart
□ Apply multiple conflicting coupons
□ Race condition: double-spend gift card
□ Skip payment step directly to order confirmation
□ Refund without return (trigger refund on delivered item via state change)
□ Currency rounding exploitation□ 购物车中添加负数量商品
□ 应用多个互斥的优惠券
□ 竞态条件: 礼品卡双花
□ 跳过支付步骤直接访问订单确认页
□ 无需退货触发退款(通过状态变更将已送达订单标记为退款)
□ 货币四舍五入利用Authentication / Account
认证/账号场景
□ 2FA bypass by direct URL access after password step
□ Password reset token reuse after email change
□ Email verification bypass (change email after verification)
□ OAuth account takeover via email match
□ Register with existing unverified email□ 密码验证通过后直接访问URL绕过2FA
□ 修改邮箱后密码重置令牌可复用
□ 邮箱验证绕过(验证后修改邮箱无需重新验证)
□ 通过邮箱匹配实现OAuth账号接管
□ 使用已存在的未验证邮箱注册Subscriptions / Limits
订阅/限制场景
□ Access premium features after downgrade
□ Exceed rate/usage limits via parallel requests
□ Referral loop for infinite credits
□ Free trial ≠ time-limited (no enforcement after trial)
□ Direct API call to premium endpoint without subscription check□ 降级后仍然可以访问付费功能
□ 通过并行请求突破速率/使用限额
□ 推荐返利循环生成无限余额
□ 免费试用无时间限制(试用到期后未做强制限制)
□ 未校验订阅状态直接调用付费API接口