# Business Logic Bypass

- ID: javascript-business-logic-bypass
- Severity: HIGH
- CWE: CWE-840 (CWE-840)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nextjs

## Description

Detects client-controlled prices or amounts flowing to payment operations without server-side validation.

## Detection Message

Client-controlled value from {source} flows to {sink} without server-side calculation.

## Remediation

Calculate totals server-side using database prices.

```javascript
const product = await Product.findById(productId);
const total = product.price * quantity;
await stripe.charges.create({ amount: total, currency: 'usd' });
```

Learn more: https://shoulder.dev/learn/javascript/cwe-840/business-logic-bypass

## Documentation

[object Object]

## Related Rules

- **Business Logic Bypass** [HIGH]: 
- **Business Logic Bypass** [HIGH]: