# Business Logic Errors (CWE-840) The product does not properly implement the business logic rules, which may allow users to manipulate the system in unintended ways. - Prevalence: Moyenne 3 langages couverts - Impact: Élevé 3 règles de sévérité élevée - Prevention: Documentée 3 exemples de correctifs **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Business logic errors occur when the application's implementation doesn't correctly enforce the intended business rules. Unlike technical vulnerabilities, these are flaws in the application's design or logic. ## Prevention Stratégies de prévention pour Business Logic Errors basées sur 3 règles de détection Shoulder. ### Go Calculate financial values server-side from trusted data sources instead of accepting client-submitted totals ### JavaScript Calculate totals and prices server-side using database values instead of client-submitted data ### Python Calculate totals server-side using database prices instead of client-submitted values ## Warning Signs - [HIGH] client-controlled prices or amounts flowing to payment operations without server-side validation - [HIGH] client-controlled business-critical values (price, quantity, discount) flowing to payment or busines ## Consequences - Contourner le mécanisme de protection - Obtenir des privilèges - Modification des données de l'application ## Mitigations - Documentez clairement les règles métier et leurs implications de sécurité - Testez les cas limites et les flux de travail inhabituels - Mettez en place une validation côté serveur de toutes les règles métier ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **Business Logic Bypass** [HIGH]: Client-controlled financial values flow to payment operations without server-side calculation. - Remediation: Fetch prices from the database instead of trusting client values. ```go func checkout(c *gin.Context) { productID := c.PostForm("product_id") var product Product db.First(&product, productID) total := product.Price * float64(quantity) processPayment(total) } ``` Learn more: https://shoulder.dev/learn/go/cwe-840/business-logic-bypass ### Javascript (1 rules) - **Business Logic Bypass** [HIGH]: Detects client-controlled prices or amounts flowing to payment operations without server-side validation. - Remediation: Calculate totals server-side using database prices. ```javascript const product = await Product.findById(productId); const total = product.price * quantity; await stripe.charges.create({ amount: total, currency: 'usd' }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass ### Typescript (1 rules) - **Business Logic Bypass** [HIGH]: Detects client-controlled prices or amounts flowing to payment operations without server-side validation. - Remediation: Calculate totals server-side using database prices. ```javascript const product = await Product.findById(productId); const total = product.price * quantity; await stripe.charges.create({ amount: total, currency: 'usd' }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass ### Python (1 rules) - **Business Logic Bypass** [HIGH]: Detects client-controlled business-critical values (price, quantity, discount) flowing to payment or business operations without server-side validation. - Remediation: Calculate totals server-side using database prices instead of client values. ```python @app.post('/checkout') async def checkout(item_id: int, quantity: int): product = Product.query.get(item_id) total = product.price * quantity stripe.Charge.create(amount=total) ``` Learn more: https://shoulder.dev/learn/python/cwe-840/business-logic-bypass