Business logic vulnerabilities: Excessive Trust in Client-Side Controls Walkthrough (Apprentice)
Learn how attackers exploit excessive trust in client-side controls to manipulate product prices and bypass business logic using Burp Suite in the PortSwigger Web Security Academy.
Business logic vulnerabilities are among the most dangerous web application security issues because they exploit flaws in how an application processes legitimate user actions rather than traditional coding mistakes. Unlike SQL Injection or Cross-Site Scripting (XSS), these vulnerabilities abuse the application’s intended functionality to achieve unintended outcomes.
In this walkthrough, we’ll solve the Excessive Trust in Client-Side Controls lab from the PortSwigger Web Security Academy. You’ll learn how trusting user-controlled values can allow attackers to manipulate product prices, purchase expensive items for almost nothing, understand the security impact, and implement secure server-side validation.
📌 Lab Information
Difficulty: Apprentice
Category: Business Logic Vulnerabilities
Objective: Purchase the Leather Jacket using only the available store credit by manipulating the client-controlled price value.
🎯 What You’ll Learn
By completing this lab, you’ll learn how to:
✅ Identify business logic vulnerabilities caused by trusting client-side data.
✅ Intercept and modify HTTP requests using Burp Suite.
✅ Manipulate client-controlled parameters to bypass pricing controls.
✅ Understand why client-side validation should never be trusted.
✅ Apply secure server-side validation techniques.
🔍 Understanding the Vulnerability
Client-side controls improve the user experience, but they should never be considered a security mechanism.
In this lab, the application sends the product price as part of the POST request when an item is added to the shopping cart.
Instead of validating the price on the server, the application trusts the value supplied by the client.
This means an attacker can modify the price before the request reaches the server.
The vulnerable parameter is:
priceInstead of using the legitimate value:
133700the attacker changes it to:
1As a result, the application believes the product costs 1 cent.
🎯 Identifying the Attack Surface
When a product is added to the shopping cart, the browser sends a request similar to:
POST /cart HTTP/1.1csrf=<token>&productId=1&quantity=1&redir=CART&price=133700The vulnerable parameter is:
priceSince this value is entirely controlled by the client, it can be intercepted and modified using Burp Suite.
⚙️ How the Vulnerability Occurs
The application incorrectly assumes that users will never modify the request.
Client
│
▼
Adds Product to Cart
│
▼
Intercept Request
│
▼
Modify price Parameter
│
▼
Server Trusts Client Value
│
▼
Product Added at Manipulated PriceThis happens because:
• The server trusts the client-supplied price.
• The application never validates the product price against the database.
• Business logic validation is performed only on the client side.
🚀 Exploitation Steps
Step 1: Log In
Authenticate using the provided credentials.
Username
wienerPassword
peterAfter logging in, browse to the product page.
Step 2: Add the Product to the Cart
Add the Lightweight “l33t” Leather Jacket to your cart.
Intercept the request using Burp Suite Proxy or Repeater.
The original request contains:
price=133700Modify it to:
price=1The modified request becomes:
POST /cart HTTP/1.1csrf=<token>&productId=1&quantity=1&redir=CART&price=1Forward the request.
Step 3: Verify the Cart
Open the shopping cart.
The jacket is now displayed with a price of:
$0.01Instead of:
$1337.00This confirms that the application trusted the manipulated client-side value.
Step 4: Complete the Checkout
Submit the checkout request normally.
The application processes the manipulated cart total without recalculating the price on the server.
Step 5: Confirm the Solution
Once the checkout is complete, the lab displays:
Congratulations, you solved the lab!⚠️ Security Impact
If this vulnerability existed in a production e-commerce application, an attacker could:
• Purchase expensive products at arbitrary prices.
• Bypass payment controls.
• Cause significant financial loss.
• Manipulate discounts and promotional logic.
• Abuse any feature that relies on client-controlled values.
Because the attacker controls the price, the integrity of the entire purchasing process is compromised.
🛡️ Remediation
Developers should follow these security best practices:
✅ Never trust client-supplied pricing information.
✅ Remove the price parameter from client requests.
✅ Always retrieve product prices from the server-side database.
✅ Validate shopping cart totals before processing payment.
✅ Log suspicious pricing anomalies for security monitoring.
The correct workflow should always be:
Client Sends:
Product ID + Quantity
│
▼
Server Retrieves Price
│
▼
Server Calculates Total
│
▼
Payment Processed Using Server Value📖 Key Takeaways
Client-side controls improve usability, not security.
✔ Any value sent by the client can be modified.
✔ Business logic validation must always occur on the server.
✔ Never trust hidden fields, JavaScript variables, or request parameters for security decisions.
✔ Server-side validation is essential to maintain application integrity.
📚 References
PortSwigger Web Security Academy
https://portswigger.net/web-security/logic-flaws
OWASP Top 10
https://owasp.org/www-project-top-ten/
🤝 Connect with Me
If you enjoy practical cybersecurity content and hands-on PortSwigger Web Security Academy walkthroughs, feel free to connect with me.
🌐 Portfolio
https://rahulms.qzz.io/
💻 GitHub
https://github.com/1amrahul
💼 LinkedIn
https://linkedin.com/in/rahul-m-s-372b631a2
If this walkthrough helped you, consider following this publication for more PortSwigger Web Security Academy lab solutions, Burp Suite tutorials, Business Logic Vulnerability guides, and practical Web Application Penetration Testing (VAPT) content.
