# Business Logic Errors (CWE-840)

The product does not properly implement the business logic rules, which may allow users to manipulate the system in unintended ways.

**Stack:** JavaScript

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 3개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Business logic errors occur when the application's implementation doesn't correctly enforce the intended business rules. Unlike technical vulnerabilities, these are flaws in the application's design or logic.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Business Logic Errors 예방 전략.

### JavaScript

Calculate totals and prices server-side using database values instead of client-submitted data

## Warning Signs

- [HIGH] client-controlled prices or amounts flowing to payment operations without server-side validation

## Consequences

- 보호 메커니즘 우회
- 권한 획득
- 애플리케이션 데이터 수정

## Mitigations

- 비즈니스 규칙과 그 보안 영향을 명확히 문서화하세요
- 엣지 케이스와 비정상적인 워크플로를 테스트하세요
- 모든 비즈니스 규칙은 서버에서 검증하세요

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Business Logic Bypass** [HIGH]: Detects client-controlled prices or amounts flowing to payment operations without server-side validation.
  - Remediation: Calculate totals server-side using database prices.

```javascript
const product = await Product.findById(productId);
const total = product.price * quantity;
await stripe.charges.create({ amount: total, currency: 'usd' });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass

### Typescript (1 rules)

- **Business Logic Bypass** [HIGH]: Detects client-controlled prices or amounts flowing to payment operations without server-side validation.
  - Remediation: Calculate totals server-side using database prices.

```javascript
const product = await Product.findById(productId);
const total = product.price * quantity;
await stripe.charges.create({ amount: total, currency: 'usd' });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass