# Business Logic Errors (CWE-840) The product does not properly implement the business logic rules, which may allow users to manipulate the system in unintended ways. **Stack:** JavaScript - Prevalence: Media 3 lenguajes cubiertos - Impact: Alto 3 reglas de severidad alta - Prevention: Documentada 3 ejemplos de corrección **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Business logic errors occur when the application's implementation doesn't correctly enforce the intended business rules. Unlike technical vulnerabilities, these are flaws in the application's design or logic. ## Prevention Estrategias de prevención para Business Logic Errors basadas en 1 reglas de detección de Shoulder. ### JavaScript Calculate totals and prices server-side using database values instead of client-submitted data ## Warning Signs - [HIGH] client-controlled prices or amounts flowing to payment operations without server-side validation ## Consequences - Eludir mecanismo de protección - Obtener privilegios - Modificar datos de la aplicación ## Mitigations - Documenta claramente las reglas de negocio y sus implicaciones de seguridad - Prueba casos límite y flujos de trabajo inusuales - Implementa validación del lado del servidor de todas las reglas de negocio ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Business Logic Bypass** [HIGH]: Detects client-controlled prices or amounts flowing to payment operations without server-side validation. - Remediation: Calculate totals server-side using database prices. ```javascript const product = await Product.findById(productId); const total = product.price * quantity; await stripe.charges.create({ amount: total, currency: 'usd' }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass ### Typescript (1 rules) - **Business Logic Bypass** [HIGH]: Detects client-controlled prices or amounts flowing to payment operations without server-side validation. - Remediation: Calculate totals server-side using database prices. ```javascript const product = await Product.findById(productId); const total = product.price * quantity; await stripe.charges.create({ amount: total, currency: 'usd' }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass