# Business Logic Errors (CWE-840)

The product does not properly implement the business logic rules, which may allow users to manipulate the system in unintended ways.

**Stack:** Python

- Prevalence: Media 3 lenguajes cubiertos
- Impact: Alto 3 reglas de severidad alta
- Prevention: Documentada 3 ejemplos de corrección

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Business logic errors occur when the application's implementation doesn't correctly enforce the intended business rules. Unlike technical vulnerabilities, these are flaws in the application's design or logic.

## Prevention

Estrategias de prevención para Business Logic Errors basadas en 1 reglas de detección de Shoulder.

### Python

Calculate totals server-side using database prices instead of client-submitted values

## Warning Signs

- [HIGH] client-controlled business-critical values (price, quantity, discount)
flowing to payment or busines

## Consequences

- Eludir mecanismo de protección
- Obtener privilegios
- Modificar datos de la aplicación

## Mitigations

- Documenta claramente las reglas de negocio y sus implicaciones de seguridad
- Prueba casos límite y flujos de trabajo inusuales
- Implementa validación del lado del servidor de todas las reglas de negocio

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Business Logic Bypass** [HIGH]: Detects client-controlled business-critical values (price, quantity, discount)
flowing to payment or business operations without server-side validation.
  - Remediation: Calculate totals server-side using database prices instead of client values.

```python
@app.post('/checkout')
async def checkout(item_id: int, quantity: int):
    product = Product.query.get(item_id)
    total = product.price * quantity
    stripe.Charge.create(amount=total)
```

Learn more: https://shoulder.dev/learn/python/cwe-840/business-logic-bypass