With purpose, there is an associated business. To carry out business, the application works on some underlying logic. This logic can be abused to cause some unintended behavior. This is where business logic issues take birth.
are serving the purpose of managing money, loans, digital funds, your cards, etc Applications like teams & slack are helping you communicate. If we look carefully, THERE IS PURPOSE EVERYWHERE, even in your life. Understanding the purpose of the application helps you understand the underlying business. This ultimately helps you understand the logic. Finding purpose
depth of the application Understand every feature Browse through every functionality Learn the purpose of every page, button, feature etc. Study the flow of data. Observe the flow of requests. Get as much DEEP as you can.
developers Analyse the flow of requests, many times you can break them. Look how the data flows from and through each of them. Sometimes its only about the flow.....
controls Many times restrictions are only on frontend The issues can sometimes be escalated to access controls too impacting the integrity. Try to change every bit of data which is restricted from frontend.
of them were only entitled for one way transaction When user tried to do a transaction using it, the application responded with - "You cannot transfer from this account"
of features. When deeply looked into these features, there can be many test cases to abuse the functionality Some features show their full power when data is provided, try to populate this data. Read documentation related to the feature. Try to become a good user of the application
Asks consent of the user to share data Does not allow user to proceed further without signing it Once signed it cannot be revoked and signature can be seen in consent tab.
doc Users cannot view/download after the doc gets deleted User creates shortcut of the doc and adds it to a folder User can download the folder as zip. The deleted file also gets downloaded
normal flow Apply check on server side too Make sure that the application logic goes parallel to the one mentioned in the documentation Sometimes get in the shoes of the attacker too.