Skip to content

Add Business Logic Security Cheat Sheet#2117

Open
0xBassia wants to merge 1 commit intoOWASP:masterfrom
0xBassia:business-logic-security-cs
Open

Add Business Logic Security Cheat Sheet#2117
0xBassia wants to merge 1 commit intoOWASP:masterfrom
0xBassia:business-logic-security-cs

Conversation

@0xBassia
Copy link
Copy Markdown
Contributor

@0xBassia 0xBassia commented Apr 16, 2026

Closes #2064

Adds a new cheat sheet on preventing business logic vulnerabilities. This is the class of flaws that scanners don't find, because the bug isn't in any individual piece of code, it's in the gap between what the developer assumed and what the user can actually do.

The cheat sheet covers:

  • Server-side re-derivation of security-relevant values (prices, permissions, ownership, identity). Client state is input, not truth.
  • Workflow as state machines. Explicit server-side state representation for multi-step processes so users can't skip, repeat, or reorder steps.
  • Race condition prevention. Transaction isolation, row locking, conditional updates, idempotency keys, and a reference table of common operation shapes with their safe patterns.
  • Feature-level abuse controls for the features that attract abuse by design (referrals, coupons, promos, free trials, password reset, any value-dispensing feature).
  • Contextual authorization at the business-logic layer, beyond what the auth middleware knows.
  • Threat modeling from the business process, including the "dishonest user" exercise and invariant identification.
  • Input validation for business meaning, not just format.
  • Observability around value-dispensing operations.
  • Testing business logic with adversarial mindset, including concurrency tests.

The scope is intentionally preventive, aimed at developers. Testing-focused content stays in the OWASP WSTG BUSL section, which is linked. Where topics overlap with existing cheat sheets (Access Control, Authorization, Transaction Authorization, Input Validation, Abuse Case), those are linked inline rather than duplicated.

Notes on approach

  • Architectural guidance only, no language-specific code snippets, per the GUIDELINE.md recommendation.
  • All links verified locally with markdown-link-check.
  • npm run lint-markdown and npm run lint-terminology both pass cleanly.
  • Added to Index.md under B and bumped the count.

Checklist

  • Created via the issue-approval process (New CS proposal: Business Logic Security #2064 was ACK_OBTAINED)
  • Single file added (plus Index.md, which is required for a new cheat sheet)
  • Markdown lint clean
  • Terminology lint clean
  • Links checked, none dead
  • US English
  • Uses the template structure from templates/New_CheatSheet.md

@0xBassia
Add Business Logic Security Cheat Sheet
b46b1f2 
Adds a new cheat sheet covering prevention patterns for business logic
vulnerabilities, which are typically missed by scanners because they
require understanding of the intended application behavior.

Covers server-side value re-derivation, workflow state machine
enforcement, race condition prevention, feature-level abuse controls
(referrals, coupons, promos), contextual authorization, invariant-based
testing, and threat modeling from the business process perspective.

Addresses issue OWASP#2064.
@0xBassia 0xBassia force-pushed the business-logic-security-cs branch from 9b5ef04 to b46b1f2 Compare April 16, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

New CS proposal: Business Logic Security

1 participant

@0xBassia